[root@localhost ~]#mkdir /usr/local/openldap-2.4.21/etc/openldap/ssl/
[root@localhost ~]#cd /usr/local/openldap-2.4.21/etc/openldap/ssl/
[root@localhost ssl]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........................................++++++
......................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:hsf
Organizational Unit Name (eg, section) []:hsf
Common Name (eg, your name or your server's hostname) []: 192.168.100.152
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Dec 28 06:27:46 2011 GMT
Not After : Dec 27 06:27:46 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = hsf
organizationalUnitName = hsf
commonName = 192.168.100.152
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:27:46 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem //如果是主主ldap的话.这个要执行两次.第一次Common Name 填主主ldap node1的Hostname 第一次Common Name 填node2的hostname//
Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:hsf
Organizational Unit Name (eg, section) []:hsf
Common Name (eg, your name or your server's hostname) []:192.168.100.152
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
newreq.pem
[root@localhost ssl]# /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 28 06:29:44 2011 GMT
Not After : Dec 27 06:29:44 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
localityName = beijing
organizationName = hsf
organizationalUnitName = hsf
commonName = 192.168.100.152
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=beijing, O=hsf, OU=hsf, CN= 192.168.100.152
Validity
Not Before: Dec 28 06:29:44 2011 GMT
Not After : Dec 27 06:29:44 2012 GMT
Subject: C=CN, ST=beijing, L=beijing, O=hsf, OU=hsf, CN=192.168.100.152
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cf:ac:a6:5f:6a:de:42:71:87:32:c9:10:1f:3a:
72:ce:a2:0b:f9:e9:89:d2:ac:fa:b3:b3:09:f9:c6:
60:d7:7f:12:37:4b:04:0c:23:5a:1a:98:52:df:6b:
02:30:d6:a7:0e:f6:6a:3a:6d:9a:db:2b:c7:77:68:
88:a3:b8:7e:29:3e:d3:6d:8b:d1:46:01:71:48:da:
17:de:dc:dd:59:ad:b4:5e:45:ff:9d:e5:19:94:2d:
e4:d9:d5:c3:71:d0:1d:73:f8:7f:70:16:c4:78:62:
ec:7f:a7:61:f7:00:c2:c7:85:f2:17:43:73:d9:ec:
2b:9b:ae:c0:c5:74:04:c0:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Signature Algorithm: sha1WithRSAEncryption
75:ac:44:1f:af:ea:f0:d0:75:9b:77:3c:6f:7a:62:b4:9e:1d:
14:c5:ef:b5:88:a8:d7:c8:b3:43:b0:ba:39:36:e1:59:f6:d8:
e4:bc:9a:22:57:ed:48:a4:57:13:62:bb:8a:04:75:42:5e:76:
ca:e0:89:7e:e8:cd:da:0e:0d:2e:b8:62:94:4a:28:9a:c7:41:
47:17:08:b9:9e:1a:87:31:94:de:52:99:42:2a:5b:40:d0:a2:
20:79:0f:ea:ab:bf:e3:e1:cc:75:9c:cb:14:a6:59:a5:6c:a0:
50:bb:1a:e4:66:8d:89:20:fa:69:64:0f:31:80:68:68:17:6f:
9f:18
-----BEGIN CERTIFICATE-----
MIICujCCAiOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
SEkxGTAXBgNVBAMTECAxOTIuMTY4LjEwMC4xNTIwHhcNMTExMjI4MDYyOTQ0WhcN
MTIxMjI3MDYyOTQ0WjBtMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
MA4GA1UEBxMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
SEkxGDAWBgNVBAMTDzE5Mi4xNjguMTAwLjE1MjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAz6ymX2reQnGHMskQHzpyzqIL+emJ0qz6s7MJ+cZg138SN0sEDCNa
GphS32sCMNanDvZqOm2a2yvHd2iIo7h+KT7TbYvRRgFxSNoX3tzdWa20XkX/neUZ
lC3k2dXDcdAdc/h/cBbEeGLsf6dh9wDCx4XyF0Nz2ewrm67AxXQEwJ8CAwEAAaN7
MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGcF+ZsX4GOr7f1lvk5dfsRNUWMB8GA1Ud
IwQYMBaAFLrS+eG7Flc+eJZeKSGkp0qu5CO9MA0GCSqGSIb3DQEBBQUAA4GBAHWs
RB+v6vDQdZt3PG96YrSeHRTF77WIqNfIs0Owujk24Vn22OS8miJX7UikVxNiu4oE
dUJedsrgiX7ozdoODS64YpRKKJrHQUcXCLmeGocxlN5SmUIqW0DQoiB5D+qrv+Ph
zHWcyxSmWaVsoFC7GuRmjYkg+mlkDzGAaGgXb58Y
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@localhost ssl]# ls
newcert.pem newreq.pem
[root@localhost ssl]# mkdir /usr/local/openldap-2.4.21/etc/openldap/cacerts
[root@localhost ssl]#cp ../../CA/cacert.pem /usr/local/openldap-2.4.21/etc/openldap/cacerts/
[root@localhost ssl]#cp newcert.pem /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem
[root@localhost ssl]#cp newreq.pem /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem
[root@localhost ssl]#chmod 600 /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem
[root@localhost openldap]# vi /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/openldap-2.4.21/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem
TLSCertificateKeyFile /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem