OpenLDAP SSL configuration – Part 1

To enable an SSL/TLS connection to the server, a server certificate is needed by the SSL/TLS protocols.  We are going to use openssl to create the certificates for our own testing purpose.

Procedure

1.Create a CA root certificate
2.Create a CSR for the ldap server
3.Use the CA to sign the CSR
4.Enabling SSL in openldap

Note: I’ve used Solaris10-x86 for the illustration

1: Create a CA root certificate<!–

Note:  When asked for a ‘Common Name’, you must enter the fully-qualified distinguished name of the server, e.g. myserver.com,

1. Create a directory for creating and signing your certificates.

#mkdir /opt/myca    

 2.  Change to /var/myca and run the OpenSSL CA script

# cd /opt/myca
# /usr/local/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...++++++
..........................................................................................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: < password >
Verifying - Enter PEM pass phrase:< password-again >   ### Remember the pass-phrase
-----
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI
Organizational Unit Name (eg, section) []:SMI
Common Name (eg, YOUR name) []:myserver.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: < password >
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Aug  6 17:08:44 2007 GMT
            Not After : Aug  5 17:08:44 2010 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = Karnataka
            organizationName          = SMI
            organizationalUnitName    = SMI
            commonName                = myserver.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                25:CB:8C:4A:5D:86:A6:41:84:01:08:47:5B:4B:63:E0:49:5B:58:BB
            X509v3 Authority Key Identifier:
                keyid:25:CB:8C:4A:5D:86:A6:41:84:01:08:47:5B:4B:63:E0:49:5B:58:BB

Certificate is to be certified until Aug  5 17:08:44 2010 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
#

This creates /opt/myca/demoCA/cacert.pem and /opt/myca/demoCA/private/cakey.pem (CA cert and private key). For our ldap configuration we ‘ll be using /opt/myca/demoCA/cacert.pem.

2. Create a CSR for the ldap server

Note:  When asked for a ‘Common Name’, you must enter the ldap url in the following format,
      ldaps://<FQDN of the ldap server>:<ssl-port>
     e.g. ldaps://ldapserver.com:636

# openssl req -newkey  rsa:1024  -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.............................++++++
..++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated into your certificate request
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI
Organizational Unit Name (eg, section) []:SMI
Common Name (eg, YOUR name) []:ldaps://ldapserver.com:636
Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls
demoCA      newreq.pem

 

This will create a csr “newreq.pem”

3. Use the CA to sign the CSR

# /usr/local/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:< password >
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  6 17:10:02 2007 GMT
            Not After : Aug  5 17:10:02 2008 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = Karnataka
            localityName              = Bangalore
            organizationName          = SMI
            organi zationalUnitName    = SMI
            commonName                = myserver.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7F:F3:DC:67:A9:48:60:D0:97:11:AE:F5:28:BF:8D:AC:4C:5B:DE:8C
            X509v3 Authority Key Identifier:
                keyid:25:CB:8C:4A:5D:86:A6:41:84:01:08:47:5B:4B:63:E0:49:5B:58:BB

Certificate is to be certified until Aug  5 17:10:02 2008 GMT (365 days)
Sign the certificate? [y/n]:y 

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IN, ST=Karnataka, O=SMI, OU=SMI, CN=myserver.com
        Validity
            Not Before: Aug  6 17:10:02 2007 GMT
            Not After : Aug  5 17:10:02 2008 GMT
        Subject: C=IN, ST=Karnataka, L=Bangalore, O=SMI, OU=SMI, CN=ldaps://ldapserver.com:636
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d6:d4:64:15:5a:7d:18:0e:23:cf:9b:40:8c:4a:
                    2a:5d:04:94:52:eb:a0:bb:ea:a1:40:3c:06:bd:e1:
                    1f:f8:8a:0f:ca:a6:0c:c8:22:5c:f4:e3:35:8a:6b:
                    48:81:6c:a1:8c:fc:b4:82:99:00:f6:a9:71:29:20:
                    68:e4:4c:84:87:48:34:e1:c8:78:59:41:57:09:ad:
                    2b:76:73:a3:0b:29:14:3d:0b:fc:96:7e:c6:51:99:
                    43:a8:9f:4f:13:95:cb:34:ba:fb:70:6c:d0:3a:ae:
                    65:0e:0a:5e:d3:cd:f9:20:9f:da:26:a4:35:bb:38:
                    dd:e2:46:93:6d:72:31:95:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7F:F3:DC:67:A9:48:60:D0:97:11:AE:F5:28:BF:8D:AC:4C:5B:DE:8C
            X509v3 Authority Key Identifier:
                keyid:25:CB:8C:4A:5D:86:A6:41:84:01:08:47:5B:4B:63:E0:49:5B:58:BB
 

    Signature Algorithm: sha1WithRSAEncryption
        6e:17:42:d8:f0:ee:f4:63:37:08:05:9e:6f:83:ed:d9:db:45:
        c0:60:2f:f0:06:51:bb:74:b9:bc:b1:1d:95:6e:0b:e9:98:39:
        93:ce:76:d1:16:a6:ea:c8:8b:50:ee:99:d6:5f:df:11:80:b1:
        3b:4c:7f:8c:3d:b3:3e:8b:a8:be:68:46:1c:6f:87:05:93:4d:
        d6:ca:1e:4d:c0:70:d4:b5:2d:fc:be:c4:8b:ba:20:35:94:32:
        e7:13:3e:7b:28:5e:98:28:02:d4:42:be:26:c2:08:d0:f0:3e:
        c1:20:fc:e7:1f:38:1d:69:d5:bf:84:e2:94:98:a8:05:ec:b4:
        20:66
-----BEGIN CERTIFICATE-----
MIICwTCCAiqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJJTjES
MBAGA1UECBMJS2FybmF0YWthMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NNSTEf
MB0GA1UEAxMWaWVjY2FwczIuaW5kaWEuc3VuLmNvbTAeFw0wNzA4MDYxNzEwMDJa
Fw0wODA4MDUxNzEwMDJaMHIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRh
a2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEMMAoGA1UEChMDU01JMQwwCgYDVQQLEwNT
TUkxHzAdBgNVBAMTFmllY2NhcHMyLmluZGlhLnN1bi5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBANbUZBVafRgOI8+bQIxKKl0ElFLroLvqoUA8Br3hH/iK
D8qmDMgiXPTjNYprSIFsoYz8tIKZAPapcSkgaORMhIdINOHIeFlBVwmtK3Zzowsp
FD0L/JZ+xlGZQ6ifTxOVyzS6+3Bs0DquZQ4KXtPN+SCf2iakNbs43eJGk21yMZUd
AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/89xnqUhg0JcRrvUov42sTFve
jDAfBgNVHSMEGDAWgBQly4xKXYamQYQBCEdbS2PgSVtYuzANBgkqhkiG9w0BAQUF
AAOBgQBuF0LY8O70YzcIBZ5vg+3Z20XAYC/wBlG7dLm8sR2VbgvpmDmTznbRFqbq
yItQ7pnWX98RgLE7TH+MPbM+i6i+aEYcb4cFk03Wyh5NwHDUtS38vsSLuiA1lDLn
Ez57KF6YKALUQr4mwgjQ8D7BIPznHzgdadW/hOKUmKgF7LQgZg==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

# ls
demoCA       newcert.pem  newreq.pem

 

This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem

So far we have created only the certificates needs to be used by the openldap server. Lets see how to configure the openldap using this certificates …

 

Advertisements

4 Responses to OpenLDAP SSL configuration – Part 1

  1. Bubuk says:

    I got stuck as early as Step 1. Am using openssl version OpenSSL 0.9.8g 19 Oct 2007
    Please assist. The following is the output. openssl complaint about the -selfsign switch. What did I do wrong ?
    [root@mta ldap]# /usr/local/ssl/misc/CA.sh -newca
    CA certificate filename (or enter to create)
    Making CA certificate …
    Generating a 1024 bit RSA private key
    …………….++++++
    …….++++++
    writing new private key to ‘./demoCA/private/./cakey.pem’
    Enter PEM pass phrase:
    Verifying – Enter PEM pass phrase:
    phrase is too short, needs to be at least 4 chars
    Enter PEM pass phrase:
    Verifying – Enter PEM pass phrase:
    phrase is too short, needs to be at least 4 chars
    Enter PEM pass phrase:
    Verifying – Enter PEM pass phrase:
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [GB]:
    State or Province Name (full name) [Berkshire]:
    Locality Name (eg, city) [Newbury]:
    Organization Name (eg, company) [My Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server’s hostname) []:example.com
    Email Address []:
    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:topsecret
    An optional company name []:ABC 123
    unknown option -selfsign
    usage: ca args
    -verbose – Talk alot while doing things
    -config file – A config file
    -name arg – The particular CA definition to use
    -gencrl – Generate a new CRL
    -crldays days – Days is when the next CRL is due
    -crlhours hours – Hours is when the next CRL is due
    -startdate YYMMDDHHMMSSZ – certificate validity notBefore
    -enddate YYMMDDHHMMSSZ – certificate validity notAfter (overrides -days)
    -days arg – number of days to certify the certificate for
    -md arg – md to use, one of md2, md5, sha or sha1
    -policy arg – The CA ‘policy’ to support
    -keyfile arg – private key file
    -keyform arg – private key file format (PEM or ENGINE)
    -key arg – key to decode the private key if it is encrypted
    -cert file – The CA certificate
    -in file – The input PEM encoded certificate request(s)
    -out file – Where to put the output file(s)
    -outdir dir – Where to put output certificates
    -infiles …. – The last argument, requests to process
    -spkac file – File contains DN and signed public key and challenge
    -ss_cert file – File contains a self signed cert to sign
    -preserveDN – Don’t re-order the DN
    -noemailDN – Don’t add the EMAIL field into certificate’ subject
    -batch – Don’t ask questions
    -msie_hack – msie modifications to handle all those universal strings
    -revoke file – Revoke a certificate (given in file)
    -subj arg – Use arg instead of request’s subject
    -extensions .. – Extension section (override value in config file)
    -extfile file – Configuration file with X509v3 extentions to add
    -crlexts .. – CRL extension section (override value in config file)
    -engine e – use engine e, possibly a hardware device.
    -status serial – Shows certificate status given the serial number
    -updatedb – Updates db for expired certificates
    [root@mta ldap]#

  2. radek says:

    Hi,
    it’s one of the best site about ldap&ssl, but I lost a few hours, because I put:
    ‘ldaps://ldapserver.com:636’, instead of ‘ldapserver.com’ in ‘Common Name’ in the command:
    openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem.
    radek

  3. 金梓 says:

    Please give me a configuration in Windows XP professional.Thank you!

  4. Hugo Ferreira says:

    Hi!
    I’m facing some problems on doing this tutorial.
    My slapd command isn’t located at /usr/local/libexec/, instead it’s location is /usr/sbin/.
    I completed all the 4 steps and when I use this command: "./slapd -h “ldap://ldapserver.com:389 ldaps://ldapserver.com:636”" no password is asked to me and when I use the netstat command, it only appears 389 port listenning:
    tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
    tcp 0 0 :::389 :::* LISTEN
    I’m using Centos 5.
    Have you any idea of what’s wrong?
    Thanks in advance,
    Hugo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: