El procedimiento de instalación y configuración del slapd, así como el resto de lo indicado en los dos artículos anteriores, con la excepción de la generación de los certificados, es válido para el Wheezy.
Emplearemos el estilo de la consola mayormente ya que se trata de comandos de consola. Dejamos todas las salidas para que ganemos en claridad y podamos leer con detenimiento cuales mensajes nos devuelve el proceso, que de otra forma casi nunca leemos detenidamente.
El mayor cuidado que debemos tener es cuando nos pregunten:
Common Name (e.g. server FQDN or YOUR name) []:mildap.amigos.cu
y debemos escribir el FQDN de nuestro servidor LDAP, que en nuestro caso es mildap.amigos.cu. De no hacerlo de esa forma, no funcionará correctamente el certificado.
Para obtener los certificados, seguiremos el siguiente procedimiento:
:~# mkdir /root/myca :~# cd /root/myca/ :~/myca# /usr/lib/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ................+++ ....................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:xeon Verifying - Enter PEM pass phrase:xeon ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CU State or Province Name (full name) [Some-State]:Habana Locality Name (eg, city) []:Habana Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freekes Organizational Unit Name (eg, section) []:Freekes Common Name (e.g. server FQDN or YOUR name) []:mildap.amigos.cu Email Address []:frodo@amigos.cu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:xeon An optional company name []:Freekes Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:xeon Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb:9c:1b:72:a7:1d:d1:e1 Validity Not Before: Nov 21 05:23:50 2013 GMT Not After : Nov 20 05:23:50 2016 GMT Subject: countryName = CU stateOrProvinceName = Habana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 extensions: X509v3 Subject Key Identifier: 79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A X509v3 Authority Key Identifier: keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Nov 20 05:23:50 2016 GMT (1095 days) Write out database with 1 new entries Data Base Updated ####################################################################### ####################################################################### :~/myca# openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 2048 bit RSA private key .........+++ ...........................................+++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CU State or Province Name (full name) [Some-State]:Habana Locality Name (eg, city) []:Habana Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freekes Organizational Unit Name (eg, section) []:Freekes Common Name (e.g. server FQDN or YOUR name) []:mildap.amigos.cu Email Address []:frodo@amigos.cu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:xeon An optional company name []:Freekes ######################################################################## ######################################################################## :~/myca# /usr/lib/ssl/misc/CA.sh -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:xeon Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb:9c:1b:72:a7:1d:d1:e2 Validity Not Before: Nov 21 05:27:52 2013 GMT Not After : Nov 21 05:27:52 2014 GMT Subject: countryName = CU stateOrProvinceName = Habana localityName = Habana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 80:62:8C:44:5E:5C:B8:67:1F:E5:C3:50:29:86:BD:E4:15:72:34:98 X509v3 Authority Key Identifier: keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A Certificate is to be certified until Nov 21 05:27:52 2014 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: bb:9c:1b:72:a7:1d:d1:e2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=CU, ST=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu Validity Not Before: Nov 21 05:27:52 2013 GMT Not After : Nov 21 05:27:52 2014 GMT Subject: C=CU, ST=Habana, L=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c7:52:49:72:dc:93:aa:bc:6c:59:00:5c:08:74: e1:7a:d9:f4:06:04:a5:b5:47:16:6a:ee:e8:37:86: 57:cb:a8:2e:87:13:27:23:ab:5f:85:69:fd:df:ad: db:00:83:43:4d:dc:4f:26:b8:62:d1:b7:5c:60:98: 61:89:ac:e5:e4:99:62:5d:36:cf:94:7d:59:b7:3b: be:dd:14:0d:2e:a3:87:3a:0b:8f:d9:69:58:ee:1e: 82:a8:95:83:80:4b:92:9c:76:8e:35:90:d4:53:71: b2:cf:88:2a:df:6f:17:d0:18:f3:a5:8c:1e:5f:5f: 05:7a:8d:1d:24:d8:cf:d6:11:50:0d:cf:18:2e:7d: 84:7c:3b:7b:20:b5:87:91:e5:ba:13:70:7b:79:3c: 4c:21:df:fb:c6:38:92:93:4d:a7:1c:aa:bd:30:4c: 61:e6:c8:8d:e4:e8:14:4f:75:37:9f:ae:b9:7b:31: 37:e9:bb:73:7f:82:c1:cc:92:21:fd:1a:05:ab:9e: 82:59:c8:f2:95:7c:6b:d4:97:48:8a:ce:c1:d1:26: 7f:be:38:0e:53:a7:03:c6:30:80:43:f4:f6:df:2e: 8f:62:48:a0:8c:30:6b:b6:ba:36:8e:3d:b9:67:a0: 48:a8:12:b7:c9:9a:c6:ba:f5:45:58:c7:a5:1a:e7: 4f:8b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 80:62:8C:44:5E:5C:B8:67:1F:E5:C3:50:29:86:BD:E4:15:72:34:98 X509v3 Authority Key Identifier: keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A Signature Algorithm: sha1WithRSAEncryption 66:20:5c:6f:58:c1:7d:d7:f6:a9:82:ab:2b:62:15:1f:31:5a: 56:82:0e:ff:73:4f:3f:9b:36:5e:68:24:b4:17:3f:fd:ed:9f: 96:43:70:f2:8b:5f:22:cc:ed:49:cf:84:f3:ce:90:58:fa:9b: 1d:bd:0b:cd:75:f3:3c:e5:fc:a8:e3:b7:8a:65:40:04:1e:61: de:ea:84:39:93:81:c6:f6:9d:cf:5d:d7:35:96:1f:97:8d:dd: 8e:65:0b:d6:c4:01:a8:fc:4d:37:2d:d7:50:fd:f9:22:30:97: 45:f5:64:0e:fa:87:46:38:b3:6f:3f:0f:ef:60:ca:24:86:4d: 23:0c:79:4d:77:fb:f0:de:3f:2e:a3:07:4b:cd:1a:de:4f:f3: 7a:03:bf:a6:d4:fd:20:f5:17:6b:ac:a9:87:e8:71:01:d7:48: 8f:9a:f3:ed:43:60:58:73:62:b2:99:82:d7:98:97:45:09:90: 0c:21:02:82:3b:2a:e7:c7:fe:76:90:00:d9:db:87:c7:e5:93: 14:6a:6e:3b:fd:47:fc:d5:cd:95:a7:cc:ea:49:c0:64:c5:e7: 55:cd:2f:b1:e0:2b:3d:c4:a1:18:77:fb:73:93:69:92:dd:9d: d8:a5:2b:5f:31:25:ea:94:67:49:4e:3f:05:bf:6c:97:a3:1b: 02:bf:2b:b0 -----BEGIN CERTIFICATE----- MIIECjCCAvKgAwIBAgIJALucG3KnHdHiMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV BAYTAkNVMQ8wDQYDVQQIDAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNV BAsMB0ZyZWVrZXMxGTAXBgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG 9w0BCQEWD2Zyb2RvQGFtaWdvcy5jdTAeFw0xMzExMjEwNTI3NTJaFw0xNDExMjEw NTI3NTJaMIGOMQswCQYDVQQGEwJDVTEPMA0GA1UECAwGSGF2YW5hMQ8wDQYDVQQH DAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNVBAsMB0ZyZWVrZXMxGTAX BgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG9w0BCQEWD2Zyb2RvQGFt aWdvcy5jdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdSSXLck6q8 bFkAXAh04XrZ9AYEpbVHFmru6DeGV8uoLocTJyOrX4Vp/d+t2wCDQ03cTya4YtG3 XGCYYYms5eSZYl02z5R9Wbc7vt0UDS6jhzoLj9lpWO4egqiVg4BLkpx2jjWQ1FNx ss+IKt9vF9AY86WMHl9fBXqNHSTYz9YRUA3PGC59hHw7eyC1h5HluhNwe3k8TCHf +8Y4kpNNpxyqvTBMYebIjeToFE91N5+uuXsxN+m7c3+CwcySIf0aBaueglnI8pV8 a9SXSIrOwdEmf744DlOnA8YwgEP09t8uj2JIoIwwa7a6No49uWegSKgSt8maxrr1 RVjHpRrnT4sCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIBijEReXLhnH+XD UCmGveQVcjSYMB8GA1UdIwQYMBaAFHmzsvdHZ5KfisIcPBpo/dT210CaMA0GCSqG SIb3DQEBBQUAA4IBAQBmIFxvWMF91/apgqsrYhUfMVpWgg7/c08/mzZeaCS0Fz/9 7Z+WQ3Dyi18izO1Jz4TzzpBY+psdvQvNdfM85fyo47eKZUAEHmHe6oQ5k4HG9p3P Xdc1lh+Xjd2OZQvWxAGo/E03LddQ/fkiMJdF9WQO+odGOLNvPw/vYMokhk0jDHlN d/vw3j8uowdLzRreT/N6A7+m1P0g9RdrrKmH6HEB10iPmvPtQ2BYc2KymYLXmJdF CZAMIQKCOyrnx/52kADZ24fH5ZMUam47/Uf81c2Vp8zqScBkxedVzS+x4Cs9xKEY d/tzk2mS3Z3YpStfMSXqlGdJTj8Fv2yXoxsCvyuw -----END CERTIFICATE----- Signed certificate is in newcert.pem ################################################################### ################################################################### :~/myca# cp demoCA/cacert.pem /etc/ssl/certs/ :~/myca# mv newcert.pem /etc/ssl/certs/mildap-cert.pem :~/myca# mv newreq.pem /etc/ssl/private/mildap-key.pem :~/myca# chmod 600 /etc/ssl/private/mildap-key.pem :~/myca# nano certinfo.ldif dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/mildap-key.pem :~/myca# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/myca/certinfo.ldif :~/myca# aptitude install ssl-cert :~/myca# adduser openldap ssl-cert Añadiendo al usuario `openldap' al grupo `ssl-cert' ... Añadiendo al usuario openldap al grupo ssl-cert Hecho. :~/myca# chgrp ssl-cert /etc/ssl/private/mildap-key.pem :~/myca# chmod g+r /etc/ssl/private/mildap-key.pem :~/myca# chmod o-r /etc/ssl/private/mildap-key.pem :~/myca# service slapd restart [ ok ] Stopping OpenLDAP: slapd. [ ok ] Starting OpenLDAP: slapd. :~/myca# tail /var/log/syslog
Con esta explicación y los artículos precedentes, ya podemos utilizar al Wheezy como sistema operativo para nuestro Servicio de Directorio.
Continúe con nosotros en la próxima entrega !!!.
¿Cómo hago para poner este tipo de certificados o https en la pagina web? sin recurrir a una empresa, entidad o pagina externa
¿Qué otros usos tiene su certificado?
En el ejemplo, el archivo cacert.pem del certificado, es para activar un canal encriptado de comunicación entre el cliente y el servidor, sea en el propio servidor donde tenemos el OpenLDAP, o en un cliente que autentique contra el Directorio.
En el servidor y en el cliente, debes declarar su ubicación en el archivo /etc/ldap/ldap.conf, tal y como se explica en artículo precedente:
Archivo /etc/ldap/ldap.conf
BASE dc=amigos,dc=cu
URI ldap://mildap.amigos.cu
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/cacert.pem
Por supuesto que en el caso del cliente, debes copiar ese archivo al la carpeta /etc/ssl/certs. A partir de entonces, puedes usar el StartTLS para comunicarte con el servidor LDAP. Te recomiendo leas los artículos precedentes.
Saludos
Thanks for sharing this info how do i fix bluetooth audio devices connections in windows 10