[Mageia-sysadm] ldap server certificate (was: Re: [Mageia-discuss] Fosdem report)
Buchan Milne
bgmilne at zarb.org
Wed Feb 15 17:12:10 CET 2012
On Wednesday, 15 February 2012 11:32:35 Michael Scherer wrote:
> Le mardi 14 février 2012 à 17:54 +0100, Romain d'Alverny a écrit :
> > On Tue, Feb 14, 2012 at 17:35, Michael Scherer <misc at zarb.org> wrote:
> > >> It looks like we are still using a self-signed certificate on the ldap
> > >> server. So it's required to have "TLS_REQCERT allow" in
> > >> /etc/openldap/ldap.conf to be able to connect to the ldap server.
> > >>
> > >> Should we also use the *.mageia.org certificate on the ldap server ?
> >
> > Wouldn't that make sense?
>
> I fear that some tools would requires CA in a slightly different format
> ( like key in one file, signature in another one ).
Key and cert should ideally be separate.
> For example, postgresql seems to need this ( since I had to write a
> special class for this, see rev 530 and 531 on adm svn.
> This can surely be worked around, but I am not sure if this would
> preserve the certificate signature
It should.
> ( I am rather bad when it come to
> certificate, each time, I think I understood openssl, and in fact, i
> didn't )
openssl x509 -out server.crt -in combined.pem
openssl rsa -out server.key -in combined.pem
?
> > >> Or have our own CA with keys distributed by rpm packages in the
> > >> distribution ?
> > >
> > > I would say "our own CA, but that's such a PITA :/
> >
> > Why?
>
> Because openssl is weird :p
That's not the PITA. Handling CSRs, signatures etc. is. But, it is a problem
worth solving, as we really should have a solution for this. We have been
using OpenCA at work for this, with some semi-automated enrolment with
autosscep (and SCEP on Cisco routers, Cisco VPN client etc.).
Regards,
Buchan
More information about the Mageia-sysadm
mailing list