The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

23.4.4 Creating and Distributing Self-signed CA Certificates

For usage solely within an organization, you might want to create certificates that you can use with LDAP. There are a number of ways of creating suitable certificates, for example:

  • Create a self-signed CA certificate together with a private key file.

  • Create a self-signed root CA certificate and private key file, and use the CA certificate and its key file to sign a separate server certificate for each server.

The following procedure describes how to use openssl to create a self-signed CA certificate and private key file, and then use these files to sign server certificates.

To create the CA certificate and use it to sign a server certificate:

  1. Change directory to /etc/openldap/certs on the LDAP server: 

    # cd /etc/openldap/certs

  2. Create the private key file CAcert-key.pem for the CA certificate: 

    # openssl genrsa -out CAcert-key.pem 1024
Generating RSA private key, 1024 bit long modulus
......++++++
....++++++
e is 65537 (0x10001)

  3. Change the mode on the key file to 0400: 

    # chmod 0400 CAcert-key.pem

  4. Create the certificate request CAcert.csr: 

    # openssl req -new -key CAcert-key.pem -out CAcert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Mydom Inc
Organizational Unit Name (eg, section) []:Org
Common Name (eg, your name or your server's hostname) []:www.mydom.org
Email Address []:root@mydom.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<Enter>
An optional company name []:<Enter>

  5. Create a CA certificate that is valid for approximately three years: 

    # openssl x509 -req -days 1095 -in CAcert.csr -signkey CAcert-key.pem -out CAcert.pem
rt-key.pem -out CAcert.pem
Signature ok
subject=/C=US/ST=California/L=Redwood City/O=Mydom 
Inc/OU=Org/CN=www.mydom.org/emailAddress=root@mydom.org
Getting Private key

  6. For each server certificate that you want to create:

    1. Create the private key for the server certificate: 

      # openssl genrsa -out server-key.pem 1024
Generating RSA private key, 1024 bit long modulus
.............++++++
...........................++++++
e is 65537 (0x10001)
      Note

      If you intend to generate server certificates for several servers, name the certificate, its key file, and the certificate request so that you can easily identify both the server and the service, for example, ldap_host02-cert.pem, ldap_host02-key.pem, and ldap_host02-cert.csr.

    2. Change the mode on the key file to 0400, and change its user and group ownership to ldap: 

      # chmod 0400 server-key.pem
# chown ldap:ldap server-key.pem

    3. Create the certificate request server-cert.csr: 

      # openssl req -new -key server-key.pem -out server-cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Mydom Inc
Organizational Unit Name (eg, section) []:Org
Common Name (eg, your name or your server's hostname) []:ldap.mydom.com
Email Address []:root@mydom.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<Enter>
An optional company name []:<Enter>
      Note

      For the Common Name, specify the Fully Qualified Domain Name (FQDN) of the server. If the FQDN of the server does not match the common name specified in the certificate, clients cannot obtain a connection to the server.

    4. Use the CA certificate and its corresponding key file to sign the certificate request and generate the server certificate: 

      # openssl x509 -req -days 1095 -CAcreateserial \
  -in server-cert.csr -CA CAcert.pem -CAkey CAcert-key.pem \
  -out server-cert.pem
Signature ok
subject=/C=US/ST=California/L=Redwood City/O=Mydom 
Inc/OU=Org/CN=ldap.mydom.com/emailAddress=root@mydom.com
Getting CA Private Key

  7. If you generate server certificates for other LDAP servers, copy the appropriate server certificate, its corresponding key file, and the CA certificate to /etc/openldap/certs on those servers.

  8. Set up a web server to host the CA certificate for access by clients. The following steps assume that the LDAP server performs this function. You can use any suitable, alternative server instead.

    1. Install the Apache HTTP server. 

      # yum install httpd

    2. Create a directory for the CA certificate under /var/www/html, for example: 

      # mkdir /var/www/html/certs

    3. Copy the CA certificate to /var/www/html/certs. 

      # cp CAcert.pem /var/www/html/certs

      Caution

      Do not copy the key files.

    4. Edit the HTTP server configuration file, /etc/httpd/conf/httpd.conf, and specify the resolvable domain name of the server in the argument to ServerName. 

      ServerName server_addr:80

      If the server does not have a resolvable domain name, enter its IP address instead.

      Verify that the setting of the Options directive in the <Directory "/var/www/html"> section specifies Indexes and FollowSymLinks to allow you to browse the directory hierarchy, for example: 

      Options Indexes FollowSymLinks

    5. Start the Apache HTTP server, and configure it to start after a reboot. 

      # service httpd start
# chkconfig httpd on

    6. If you have enabled a firewall on your system, configure it to allow incoming HTTP connection requests on TCP port 80.

      For example, the following command configures iptables to allow incoming HTTP connection requests and saves the change to the firewall configuration: 

      # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# service iptables save

Copyright © 2013, 2021, Oracle and/or its affiliates. Legal Notices