I forget this almost everytime, so write it down here just in case.
- Have OpenSSl install somewhere.
- Go to /share/ssl or sometimes ssl directory
- Fix openssl.conf. Change "demoCA" to "somethingCA" that's more appropriate.
- Change "-days 365" in misc/CA.sh to "-days 3650"
- misc/CA.sh -newca. A directory called "somethingCA" will be here.
- Now create a cert request
- misc/CA.sh -newreq for cert with passphrase
- To create a cert request without passphrase. "openssl genrsa -out newkey.pem 1024" then "openssl req -new -key newkey.pem -out newreq.pem"
- Sign the generated request with "misc/CA.sh -sign". It always looking for "newreq.pem" so be carefull. The new certificates will be in newcert.pem
- Copy key and cert to the machine which want to use these. Put it in appropriate directory (/usr/share/ssl/certs/{slapd-key.pem,slapd.pem} for OpenLDAP)
- Find the hash number of ca by "misc/c_hash somethingCA/cacert.pem". The printed value is the file name. Copy somethingCA/cacert.pem to /usr/share/ssl/certs/.0.
For OpenLDAP
- Need to fix /etc/openldap/ldap.conf and /etc/openldap/slapd.conf to accept the new CA
- Fix the following configuration
- "TLS_CACERT /usr/share/ssl/certs/fde68c33.0" in /etc/openldap/ldap.conf
- "TLSCACertificateFile /usr/share/ssl/certs/fde68c33.0" in /etc/openldap/slapd.conf
Hope that I'll never forget this again.
No comments:
Post a Comment