Generate RedHat Directory Server SSL

1. install the packages Centos-ds

2. run
fill all the step, you can search on google...
bla bla bla, insert this, answer yes, bla bla..

3. create SSL certificate
# cd /etc/dirsrv/slapd-instance
# tar -cf * ~/db_backup.tar
# touch /tmp/pwdfile; echo "p4ssw0rd" > /tmp/pwdfile
# certutil -N -d . -f /tmp/pwdfile
# certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=combro,dc=com" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile         
# certutil -S -n "Server-Cert" -s "" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile
# certutil -d . -L -n "CA certificate" -a > cacert.asc
# pk12util -d . -o ldap1.p12 -n Server-Cert -w /tmp/pwdfile -k /tmp/pwdfile
# touch pin.txt; echo "Internal (Software) Token: p4ssw0rd" > pin.txt
# chmod 0400 pin.txt
# vim dse.ldif

edit cn=config
dn: cn=config
nsslapd-security: on
nsslapd-ssl-check-hostname: off

edit cn=encryption,cn=config
dn: cn=encryption,cn=config
nsSSL3: on
nsSSLClientAuth: allowed
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
244  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
245  +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
246  +tls_rsa_export1024_with_des_cbc_sha

add cn=RSA,cn=ecryption,cn=config:
dn: cn=RSA,cn=encryption,cn=config
objectClass: nsEncryptionModule
objectClass: top
nsSSLActivation: on
nsSSLToken: internal (software)
nsSSLPersonalitySSL: Server-Cert
cn: RSA

note: you can modify dse.ldif easier using ApacheDirectoryStudio
1. at Root DSE -> right click (go to DN..)
2. type cn=config
3. make new entry for cn=RSA,cn=encryption,cn=config
then put the attribute like above
4. then modify the cn=config and cn=encryption

# service dirsrv start
Starting dirsrv:
package...Warning: Incorrect PIN may result in disabling the token
Enter PIN for Internal (Software) Token: p4ssw0rd
[ OK ]


Popular posts from this blog

authentication failure using SSH pam_unix(sshd:auth): authentication failure;

Howto configure SPLUNK Universal Forwarder

openvpn howto make OCSP server using OpenSSL [Part2]