How to create and use a Linux SSL certificate

How to create and use a Linux SSL certificate

Before connecting to a SSL-enabled OpenLDAP server you need to install a certificate on the machine on which you are running the Admwin executable.

Exception: Windows 2000 without the "Update Rollup 1 for Microsoft Windows 2000 Service Pack 4" does not require a certificate and will probably (depending on installed fixes) ignore any certificate provided.

How to generate a self signed certificate with OpenSSL

·	At the Linux command prompt go to the SSL certs directory and type

openssl req -newkey rsa:1024 -x509 -nodes -out slapdcer.pem -keyout slapdkey.pem -days 365

Parameter	Description
-newkey rsa:1024	Create a new RSA 1024 bit private key and a certificate
-x509	Create a self signed certificate
-nodes	Do not encrypt the private key (the current OpenLDAP implementation doesn't support encrypted keys)
-out filename	Certificate file name
-keyout filename	Private key file name
-days	Number of days certificate is valid

You will be prompted for a couple of more parameters but the only important one is the "Common Name" (hostname) parameter. The common name field must exactly match the hostname of the system the certificate will be used on; otherwise, clients will rightfully complain about a certificate/hostname mismatch. The server name must be a fully qualified domain name such as "server.domain.com". It cannot be a NetBIOS name or Internet protocol (IP) address.

How to configure the OpenLDAP server to use SSL

·	Set access permissions on the certificate and private key file so that LDAP (slapd) can access them.

Be sure to protect the unencrypted private key file "slapdkey.pem" carefully as anyone with the key information can decipher the traffic encrypted with the key in question.

·	Make these changes in the OpenLDAP server configuration file slapd.conf:

TLSCertificateFile /usr/share/ssl/certs/slapdcer.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapdkey.pem
#TLSCACertificateFile

The TLSCACertificateFile row should be commented out since we use a self-signed certificate.

·	Restart the LDAP service. If the service fails to restart you probably have failed to set correct access permissions on the certificate and private key file.

How to install the certificate on a Windows machine

·	Copy the certificate file "slapdcer.pem" from the Linux server to the Windows machine on which you are running the Admwin executable.

Open "slapdcer.pem" with wordpad and save it as "slapdcer.cer" and select type "text document". You will see a dialog saying "You are about to save the document in a Text-Only format, which will remove all formatting. Are you sure you want to do this?" - click "Yes". (Notice that it must be opened with wordpad and not notepad; wordpad automatically converts the file from Linux format to Windows format.)

Right-click the "slapdcer.cer" file in Explorer and select "install certificate". Windows will display a "Security warning" dialog where it says that it cannot validate that the certificate is actually from the hostname and asks if you want to install the certificate - click "Yes". Since you created and copied the certificate yourself you can definitely trust it.

You can view all installed certificates in Internet Explorer > Tools > Internet options > content > certificates.

Now you should be able to connect to the LDAP server from the SetupBatcher Lin.DS.Logon command or the SetupExplorer User definable xD buttons. Notice that the server hostname must be entered exactly as in the SSL certificate and that you can not refer to the server by NetBIOS name or Internet protocol (IP) address.

If there are problems, check the Windows Event viewer system log for messages from source Schannel.

Schannel, short for "Secure channel", is the Microsoft Security Support Provider DLL that implements the TLS/SSL protocols.