Directory Service with OpenLDAP [6]: Certificates in Debian 7 “Wheezy”

The installation and configuration procedure of the slapd, as well as the rest of what is indicated in the two previous articles, with the exception of the generation of the certificates, is valid for Wheezy.

We will use the console style mostly since it is about console commands. We leave all the outputs so that we gain clarity and we can read carefully which messages the process returns to us, which otherwise we hardly ever read carefully.

The greatest care we must have is when they ask us:

Common Name (eg server FQDN or YOUR name) []:mildap.amigos.cu

and we must write the FQDN from our LDAP server, which in our case is mildap.amigos.cu. Otherwise, the certificate will not work correctly.

To obtain the certificates, we will follow the following procedure:

: ~ # mkdir / root / myca
: ~ # cd / root / myca /
: ~ / myca # /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ................ +++ ......... ........................... +++ writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:xeon
Verifying - Enter PEM pass phrase:xeon ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', The field will be left blank. -----
Country Name (2 letter code) [AU]:CU
State or Province Name (full name):Habana
Locality Name (eg, city) []:Habana
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freekes
Organizational Unit Name (eg, section) []:Freekes
Common Name (eg server FQDN or YOUR name) []:mildap.amigos.cu
Email Address []:frodo@amigos.cu Please enter the following 'extra' attributes to be sent with your certificate request
The challenge password []:xeon
An optional company name []:Freekes Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:xeon Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb: 9c: 1b: 72: a7: 1d: d1: e1 Validity Not Before: Nov 21 05:23:50 2013 GMT Not After: Nov 20 05 : 23: 50 2016 GMT Subject: countryName = CU stateOrProvinceName = Habana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 extensions: X509v3 Subject Key Identifier: 79: B3: B2: F7: 47: 67: 92: 9F: 8A: C2: 1C: 3C: 1A: 68: FD: D4: F6: D7: 40: 9A X509v3 Authority Key Identifier: keyid: 79: B3: B2: F7: 47: 67: 92: 9F: 8A: C2: 1C: 3C: 1A: 68: FD: D4: F6: D7: 40: 9A X509v3 Basic Constraints: CA: TRUE Certificate is to be certified until Nov 20 05:23:50 2016 GMT ( 1095 days) Write out database with 1 new entries Data Base Updated ##################################### #################################################### ################################################## #####
: ~ / myca # openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Generating a 2048 bit RSA private key ......... +++ ............................... ............ +++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', The field will be left blank. -----
Country Name (2 letter code) [AU]:CU
State or Province Name (full name):Habana
Locality Name (eg, city) []:Habana
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freekes
Organizational Unit Name (eg, section) []:Freekes
Common Name (eg server FQDN or YOUR name) []:mildap.amigos.cu
Email Address []:frodo@amigos.cu Please enter the following 'extra' attributes to be sent with your certificate request
The challenge password []:xeon
An optional company name []:Freekes ################################################# ####################### ########################### #############################################

: ~ / myca # /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xeon Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb: 9c: 1b: 72: a7: 1d: d1: e2 Validity Not Before: Nov 21 05:27:52 2013 GMT Not After: Nov 21 05 : 27: 52 2014 GMT Subject: countryName = CU stateOrProvinceName = Habana localityName = Habana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 extensions: X509v3 Basic Constraints: CA: FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 80: 62: 8C: 44: 5E: 5C: B8: 67: 1F: E5: C3: 50: 29: 86: BD: E4: 15: 72: 34: 98 X509v3 Authority Key Identifier: keyid: 79: B3: B2: F7: 47: 67: 92: 9F: 8A: C2: 1C: 3C: 1A: 68: FD: D4: F6: D7: 40: 9A Certificate is to be certified until Nov 21 05:27:52 2014 GMT (365 days)
Sign the certificate? [y / n]:y

1 out of 1 certificate requests certified, commit? [y / n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bb:9c:1b:72:a7:1d:d1:e2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CU, ST=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu
Validity
Not Before: Nov 21 05:27:52 2013 GMT
Not After : Nov 21 05:27:52 2014 GMT
Subject: C=CU, ST=Habana, L=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:52:49:72:dc:93:aa:bc:6c:59:00:5c:08:74:
e1:7a:d9:f4:06:04:a5:b5:47:16:6a:ee:e8:37:86:
57:cb:a8:2e:87:13:27:23:ab:5f:85:69:fd:df:ad:
db:00:83:43:4d:dc:4f:26:b8:62:d1:b7:5c:60:98:
61:89:ac:e5:e4:99:62:5d:36:cf:94:7d:59:b7:3b:
be:dd:14:0d:2e:a3:87:3a:0b:8f:d9:69:58:ee:1e:
82:a8:95:83:80:4b:92:9c:76:8e:35:90:d4:53:71:
b2:cf:88:2a:df:6f:17:d0:18:f3:a5:8c:1e:5f:5f:
05:7a:8d:1d:24:d8:cf:d6:11:50:0d:cf:18:2e:7d:
84:7c:3b:7b:20:b5:87:91:e5:ba:13:70:7b:79:3c:
4c:21:df:fb:c6:38:92:93:4d:a7:1c:aa:bd:30:4c:
61:e6:c8:8d:e4:e8:14:4f:75:37:9f:ae:b9:7b:31:
37:e9:bb:73:7f:82:c1:cc:92:21:fd:1a:05:ab:9e:
82:59:c8:f2:95:7c:6b:d4:97:48:8a:ce:c1:d1:26:
7f:be:38:0e:53:a7:03:c6:30:80:43:f4:f6:df:2e:
8f:62:48:a0:8c:30:6b:b6:ba:36:8e:3d:b9:67:a0:
48:a8:12:b7:c9:9a:c6:ba:f5:45:58:c7:a5:1a:e7:
4f:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:62:8C:44:5E:5C:B8:67:1F:E5:C3:50:29:86:BD:E4:15:72:34:98
X509v3 Authority Key Identifier:
keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A

Signature Algorithm: sha1WithRSAEncryption
66:20:5c:6f:58:c1:7d:d7:f6:a9:82:ab:2b:62:15:1f:31:5a:
56:82:0e:ff:73:4f:3f:9b:36:5e:68:24:b4:17:3f:fd:ed:9f:
96:43:70:f2:8b:5f:22:cc:ed:49:cf:84:f3:ce:90:58:fa:9b:
1d:bd:0b:cd:75:f3:3c:e5:fc:a8:e3:b7:8a:65:40:04:1e:61:
de:ea:84:39:93:81:c6:f6:9d:cf:5d:d7:35:96:1f:97:8d:dd:
8e:65:0b:d6:c4:01:a8:fc:4d:37:2d:d7:50:fd:f9:22:30:97:
45:f5:64:0e:fa:87:46:38:b3:6f:3f:0f:ef:60:ca:24:86:4d:
23:0c:79:4d:77:fb:f0:de:3f:2e:a3:07:4b:cd:1a:de:4f:f3:
7a:03:bf:a6:d4:fd:20:f5:17:6b:ac:a9:87:e8:71:01:d7:48:
8f:9a:f3:ed:43:60:58:73:62:b2:99:82:d7:98:97:45:09:90:
0c:21:02:82:3b:2a:e7:c7:fe:76:90:00:d9:db:87:c7:e5:93:
14:6a:6e:3b:fd:47:fc:d5:cd:95:a7:cc:ea:49:c0:64:c5:e7:
55:cd:2f:b1:e0:2b:3d:c4:a1:18:77:fb:73:93:69:92:dd:9d:
d8:a5:2b:5f:31:25:ea:94:67:49:4e:3f:05:bf:6c:97:a3:1b:
02:bf:2b:b0
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIJALucG3KnHdHiMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAkNVMQ8wDQYDVQQIDAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNV
BAsMB0ZyZWVrZXMxGTAXBgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG
9w0BCQEWD2Zyb2RvQGFtaWdvcy5jdTAeFw0xMzExMjEwNTI3NTJaFw0xNDExMjEw
NTI3NTJaMIGOMQswCQYDVQQGEwJDVTEPMA0GA1UECAwGSGF2YW5hMQ8wDQYDVQQH
DAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNVBAsMB0ZyZWVrZXMxGTAX
BgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG9w0BCQEWD2Zyb2RvQGFt
aWdvcy5jdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdSSXLck6q8
bFkAXAh04XrZ9AYEpbVHFmru6DeGV8uoLocTJyOrX4Vp/d+t2wCDQ03cTya4YtG3
XGCYYYms5eSZYl02z5R9Wbc7vt0UDS6jhzoLj9lpWO4egqiVg4BLkpx2jjWQ1FNx
ss+IKt9vF9AY86WMHl9fBXqNHSTYz9YRUA3PGC59hHw7eyC1h5HluhNwe3k8TCHf
+8Y4kpNNpxyqvTBMYebIjeToFE91N5+uuXsxN+m7c3+CwcySIf0aBaueglnI8pV8
a9SXSIrOwdEmf744DlOnA8YwgEP09t8uj2JIoIwwa7a6No49uWegSKgSt8maxrr1
RVjHpRrnT4sCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIBijEReXLhnH+XD
UCmGveQVcjSYMB8GA1UdIwQYMBaAFHmzsvdHZ5KfisIcPBpo/dT210CaMA0GCSqG
SIb3DQEBBQUAA4IBAQBmIFxvWMF91/apgqsrYhUfMVpWgg7/c08/mzZeaCS0Fz/9
7Z+WQ3Dyi18izO1Jz4TzzpBY+psdvQvNdfM85fyo47eKZUAEHmHe6oQ5k4HG9p3P
Xdc1lh+Xjd2OZQvWxAGo/E03LddQ/fkiMJdF9WQO+odGOLNvPw/vYMokhk0jDHlN
d/vw3j8uowdLzRreT/N6A7+m1P0g9RdrrKmH6HEB10iPmvPtQ2BYc2KymYLXmJdF
CZAMIQKCOyrnx/52kADZ24fH5ZMUam47/Uf81c2Vp8zqScBkxedVzS+x4Cs9xKEY
d/tzk2mS3Z3YpStfMSXqlGdJTj8Fv2yXoxsCvyuw
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
###################################################################
###################################################################

: ~ / myca # cp demoCA / cacert.pem / etc / ssl / certs /
: ~ / myca # mv newcert.pem /etc/ssl/certs/mildap-cert.pem
: ~ / myca # mv newreq.pem /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod 600 /etc/ssl/private/mildap-key.pem

: ~ / myca # nano certinfo.ldif
dn: cn = config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - add: olcTLSCertificateFile / etc privateKeySCertificateSCertificate / s: olcTLSCertKeyFile / etc. /mildap-key.pem

: ~ / myca # ldapmodify -Y EXTERNAL -H ldapi: /// -f /root/myca/certinfo.ldif

: ~ / myca # aptitude install ssl-cert

: ~ / myca # adduser openldap ssl-cert
Adding the user `openldap 'to the group` ssl-cert' ... Adding the user openldap to the group ssl-cert Done.
: ~ / myca # chgrp ssl-cert /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod g + r /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod or /etc/ssl/private/mildap-key.pem
: ~ / myca # service slapd restart
[ok] Stopping OpenLDAP: slapd. [ok] Starting OpenLDAP: slapd.

: ~ / myca # tail / var / log / syslog

With this explanation and the preceding articles, we can now use Wheezy as the operating system for our Directory Service.

Continue with us in the next installment !!!.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

3 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   sdsfaae said

    How do I put this type of certificate or https on the web page? without resorting to a company, entity or external page
    What other uses does your certificate have?

    1.    federico said

      In the example, the cacert.pem file of the certificate is to activate an encrypted communication channel between the client and the server, either on the server itself where we have the OpenLDAP, or on a client that authenticates against the Directory.

      On the server and on the client, you must declare their location in the /etc/ldap/ldap.conf file, as explained in the previous article:
      /Etc/ldap/ldap.conf file

      BASE dc = friends, dc = cu
      URI ldap: //mildap.amigos.cu

      #SIZELIMIT 12
      #TIMELIMIT 15
      #DEREF never

      # TLS certificates (needed for GnuTLS)
      TLS_CACERT /etc/ssl/certs/cacert.pem

      Of course, in the case of the client, you must copy that file to the / etc / ssl / certs folder. From then on, you can use StartTLS to communicate with the LDAP server. I recommend you read the preceding articles.

      regards