24.4.4 Creating and Distributing Self-signed CA Certificates

For usage solely within an organization, you might want to create certificates that you can use with LDAP. There are a number of ways of creating suitable certificates, for example:

  • Create a self-signed CA certificate together with a private key file.

  • Create a self-signed root CA certificate and private key file, and use the CA certificate and its key file to sign a separate server certificate for each server.

The following procedure describes how to use openssl to create a self-signed CA certificate and private key file, and then use these files to sign server certificates.

To create the CA certificate and use it to sign a server certificate:

  1. Change directory to /etc/openldap/certs on the LDAP server:

    # cd /etc/openldap/certs
  2. Create the private key file CAcert-key.pem for the CA certificate:

    # openssl genrsa -out CAcert-key.pem 1024
    Generating RSA private key, 1024 bit long modulus
    ......++++++
    ....++++++
    e is 65537 (0x10001)
  3. Change the mode on the key file to 0400:

    # chmod 0400 CAcert-key.pem
  4. Create the certificate request CAcert.csr:

    # openssl req -new -key CAcert-key.pem -out CAcert.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:California
    Locality Name (eg, city) [Default City]:Redwood City
    Organization Name (eg, company) [Default Company Ltd]:Mydom Inc
    Organizational Unit Name (eg, section) []:Org
    Common Name (eg, your name or your server's hostname) []:www.mydom.org
    Email Address []:root@mydom.org
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:<Enter>
    An optional company name []:<Enter>
  5. Create a CA certificate that is valid for approximately three years:

    # openssl x509 -req -days 1095 -in CAcert.csr -signkey CAcert-key.pem -out CAcert.pem
    rt-key.pem -out CAcert.pem
    Signature ok
    subject=/C=US/ST=California/L=Redwood City/O=Mydom 
    Inc/OU=Org/CN=www.mydom.org/emailAddress=root@mydom.org
    Getting Private key
  6. For each server certificate that you want to create:

    1. Create the private key for the server certificate:

      # openssl genrsa -out server-key.pem 1024
      Generating RSA private key, 1024 bit long modulus
      .............++++++
      ...........................++++++
      e is 65537 (0x10001)
      Note

      If you intend to generate server certificates for several servers, name the certificate, its key file, and the certificate request so that you can easily identify both the server and the service, for example, ldap_host02-cert.pem, ldap_host02-key.pem, and ldap_host02-cert.csr.

    2. Change the mode on the key file to 0400, and change its user and group ownership to ldap:

      # chmod 0400 server-key.pem
      # chown ldap:ldap server-key.pem
    3. Create the certificate request server-cert.csr:

      # openssl req -new -key server-key.pem -out server-cert.csr
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [XX]:US
      State or Province Name (full name) []:California
      Locality Name (eg, city) [Default City]:Redwood City
      Organization Name (eg, company) [Default Company Ltd]:Mydom Inc
      Organizational Unit Name (eg, section) []:Org
      Common Name (eg, your name or your server's hostname) []:ldap.mydom.com
      Email Address []:root@mydom.com
      
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:<Enter>
      An optional company name []:<Enter>
      Note

      For the Common Name, specify the Fully Qualified Domain Name (FQDN) of the server. If the FQDN of the server does not match the common name specified in the certificate, clients cannot obtain a connection to the server.

    4. Use the CA certificate and its corresponding key file to sign the certificate request and generate the server certificate:

      # openssl x509 -req -days 1095 -CAcreateserial \
        -in server-cert.csr -CA CAcert.pem -CAkey CAcert-key.pem \
        -out server-cert.pem
      Signature ok
      subject=/C=US/ST=California/L=Redwood City/O=Mydom 
      Inc/OU=Org/CN=ldap.mydom.com/emailAddress=root@mydom.com
      Getting CA Private Key
  7. If you generate server certificates for other LDAP servers, copy the appropriate server certificate, its corresponding key file, and the CA certificate to /etc/openldap/certs on those servers.

  8. Set up a web server to host the CA certificate for access by clients. The following steps assume that the LDAP server performs this function. You can use any suitable, alternative server instead.

    1. Install the Apache HTTP server.

      # yum install httpd

    2. Create a directory for the CA certificate under /var/www/html, for example:

      # mkdir /var/www/html/certs

    3. Copy the CA certificate to /var/www/html/certs.

      # cp CAcert.pem /var/www/html/certs

      Caution

      Do not copy the key files.

    4. Edit the HTTP server configuration file, /etc/httpd/conf/httpd.conf, and specify the resolvable domain name of the server in the argument to ServerName.

      ServerName server_addr:80

      If the server does not have a resolvable domain name, enter its IP address instead.

      Verify that the setting of the Options directive in the <Directory "/var/www/html"> section specifies Indexes and FollowSymLinks to allow you to browse the directory hierarchy, for example:

      Options Indexes FollowSymLinks

    5. Start the Apache HTTP server, and configure it to start after a reboot.

      # systemctl start httpd
      # systemctl enable httpd

    6. If you have enabled the firewall on your system, configure it to allow incoming HTTP connection requests on TCP port 80, for example:

      # firewall-cmd --zone=zone --add-port=80/tcp
      # firewall-cmd --permanent --zone=zone --add-port=80/tcp