RE: cannot open certdb
From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni Sent: Wednesday, 19 June, 2013 10:15 Comments inline. From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson Sent: Tuesday, June 18, 2013 10:29 PM Here's the command that I used to create the CA. snip Here's the command that created the certificates. openssl req -newkey rsa:1024 -nodes -sha1 \ -keyout cert.key -keyform PEM -out cert.req -outform PEM Here's the command that signed the certificate. OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem Nit: that created a Certficate Signing Request aka CSR, and then created and signed a cert from the CSR. A CSR is NOT a cert, or even a cert-TBS (cert_info), although it is related. [[Rod's comment]] Oh, I thought that created the actual CA file, my bad. So, what should I do? It does create a *certificate*, under your own private CA. If that's what you want (from later posts apparently not), what you did is right, you just described it wrong. That's why I said Nit. snip What actually is, or is in, /etc/openldap/cacerts ? [[Rod's comment]] The contents of the directory is the ca.pem file I created above, I copied it over there from the directory where I created the file. Is it a directory and is ca.pem a file you put there? [[Rod's comment]] As I said above, it's a file. openssl will ignore 'extra' files in a CApath, but maybe openldap doesn't. If so, the error message is slightly off; the hashname openssl wants is a hash of the *subject* plus a numeric suffix, not a hash of the cert. But that could just be a typo. If that file belongs there try naming it with the value from commandline x509 -subject_hash (or -hash) followed by dot zero. [[Rod's comment]] Could you kindly post the actual command here? openssl x509 -in name_of_cert_file -hash - displays an 8-hex-char value e.g. 1234abcd . For that value name your file 1234abcd.0 . On Unix you normally use cp or mv or ln -s . snip __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: cannot open certdb
Comments inline. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Tuesday, June 18, 2013 10:29 PM To: openssl-users@openssl.org Subject: RE: cannot open certdb From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni Sent: Tuesday, 18 June, 2013 15:52 I'm trying to get LDAP to work with TLS but when I used the ldapsearch command to verify TLS is working, this error is showstopping me. TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. I just created a CA using a openssl.cnf and the openssl command. Here's my openssl.cnf: snip Here's the command that I used to create the CA. OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 \ -newkey rsa:2048 -out mypersonalca/certs/ca.pem \ -outform PEM -keyout ./mypersonalca/private/ca.key That uses ca.cnf not openssl.cnf. But the config file settings, even if different, probably don't matter to this problem. [[Rod's comment]] Sorry about that, it's a typo. Here's the command that created the certificates. openssl req -newkey rsa:1024 -nodes -sha1 \ -keyout cert.key -keyform PEM -out cert.req -outform PEM Here's the command that signed the certificate. OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem Nit: that created a Certficate Signing Request aka CSR, and then created and signed a cert from the CSR. A CSR is NOT a cert, or even a cert-TBS (cert_info), although it is related. [[Rod's comment]] Oh, I thought that created the actual CA file, my bad. So, what should I do? But when I did ' ldapsearch -d -1 -x -LLL -ZZ' to verify that TLS is working, I got: snip lots TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. TLS: skipping 'ca.pem' - filename does not have expected format (certificate hash with numeric suffix) openssl verification (aka trust) logic can use CA certs from a file (concatenated) often referred to as CAFile or a directory (with hashnames) often called CApath or CAdir. 'certdb' suggests either. 'cacerts' without suffix suggests the latter. But in neither case is PKCS#11 involved at all. What actually is, or is in, /etc/openldap/cacerts ? [[Rod's comment]] The contents of the directory is the ca.pem file I created above, I copied it over there from the directory where I created the file. Is it a directory and is ca.pem a file you put there? [[Rod's comment]] As I said above, it's a file. openssl will ignore 'extra' files in a CApath, but maybe openldap doesn't. If so, the error message is slightly off; the hashname openssl wants is a hash of the *subject* plus a numeric suffix, not a hash of the cert. But that could just be a typo. If that file belongs there try naming it with the value from commandline x509 -subject_hash (or -hash) followed by dot zero. [[Rod's comment]] Could you kindly post the actual command here? I also have this in my ldif file: olcTLSCACertificateFile: /home/rsimioni/mypersonalca/certs/ca.pem olcTLSCertificateFile: /home/rsimioni/cert.pem olcTLSCertificateKeyFile: /home/rsimioni/cert.key olcTLSVerifyClient: allow [[Rod's comment]] I actually removed the olcTLS entries from the ldif file and restarted slapd. I want to concentrate on getting openldap to work with tls/ssl From the ldap.conf file in /etc/openldap/. http://linux.die.net/man/5/slapd-config describes both olcTLSCACertificateFile and olcTLSCACertificatePath with meanings that match openssl's, plus an alternate(?) meaning for MozillaNSS presumably not applicable to you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: cannot open certdb
From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni Sent: Tuesday, 18 June, 2013 15:52 I'm trying to get LDAP to work with TLS but when I used the ldapsearch command to verify TLS is working, this error is showstopping me. TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. I just created a CA using a openssl.cnf and the openssl command. Here's my openssl.cnf: snip Here's the command that I used to create the CA. OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 \ -newkey rsa:2048 -out mypersonalca/certs/ca.pem \ -outform PEM -keyout ./mypersonalca/private/ca.key That uses ca.cnf not openssl.cnf. But the config file settings, even if different, probably don't matter to this problem. Here's the command that created the certificates. openssl req -newkey rsa:1024 -nodes -sha1 \ -keyout cert.key -keyform PEM -out cert.req -outform PEM Here's the command that signed the certificate. OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem Nit: that created a Certficate Signing Request aka CSR, and then created and signed a cert from the CSR. A CSR is NOT a cert, or even a cert-TBS (cert_info), although it is related. But when I did ' ldapsearch -d -1 -x -LLL -ZZ' to verify that TLS is working, I got: snip lots TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. TLS: skipping 'ca.pem' - filename does not have expected format (certificate hash with numeric suffix) openssl verification (aka trust) logic can use CA certs from a file (concatenated) often referred to as CAFile or a directory (with hashnames) often called CApath or CAdir. 'certdb' suggests either. 'cacerts' without suffix suggests the latter. But in neither case is PKCS#11 involved at all. What actually is, or is in, /etc/openldap/cacerts ? Is it a directory and is ca.pem a file you put there? openssl will ignore 'extra' files in a CApath, but maybe openldap doesn't. If so, the error message is slightly off; the hashname openssl wants is a hash of the *subject* plus a numeric suffix, not a hash of the cert. But that could just be a typo. If that file belongs there try naming it with the value from commandline x509 -subject_hash (or -hash) followed by dot zero. I also have this in my ldif file: olcTLSCACertificateFile: /home/rsimioni/mypersonalca/certs/ca.pem olcTLSCertificateFile: /home/rsimioni/cert.pem olcTLSCertificateKeyFile: /home/rsimioni/cert.key olcTLSVerifyClient: allow http://linux.die.net/man/5/slapd-config describes both olcTLSCACertificateFile and olcTLSCACertificatePath with meanings that match openssl's, plus an alternate(?) meaning for MozillaNSS presumably not applicable to you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org