RHEL 6.3 – LDAP Series – Part 2 : Configuration of Certification Authority for LDAP encryption.

Rhel6.3 - CA Configuration

In this post, i will be explaining about necessary Certificate authority operations, to continue our actual task i.e. LDAP Configuration with encrypted communication. And this is Second post of LDAP Implemenation Series.  For quick recap you can refer the first post  ” RHEL 6.3 – LDAP Series – Part 1 : Implementation of LDAP Authentication without encryption

 

Server Information 

 
  • LDAP SERVER   : gurkulrhel1  – alias ldapserver ( 192.168.1.31)
  • LDAP CLIENT   : gurkulrhel2  ( 192.168.1.32)
  • CA SERVER       :  gurkulrhelca   (192.168.1.33)
 Stage 1: Create Self Signed Certificates for CA
 
  • CA Self signed Certificate  :  cacert.pem
  • CA Private Key :  cakey.pem
 Stage 2: Create CA signed certificate for LDAP Server
 
  • LDAP SERVER Private Key:  gurkulrhel1.gurkulindia.com.key
  • CA Signed LDAP SERVER Certificate :  gurkulrhel1.gurkulindia.com.crt 
 Stage 3 : Copy the  CA  Certificates, CA signed Server certificates  and Server Keys to LDAP Server’s  certification repository.
 
 
 

Procedure to Configure Certification Authority

 
 LDAP Certification Authority

Step 1:  Install OpenSSL

 [root@gurkulrhelca CA]#   yum install openssl

Step 2:  Generate Self Signed CA Certificate (  /etc/pki/CA/cacert.pem ) and CA Key ( /etc/pki/CA/private/cakey.pem)

 
[root@gurkulrhelca CA]# openssl req -new -x509 -extensions v3_ca -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
Generating a 2048 bit RSA private key
………..+++
……………….+++
writing new private key to ‘/etc/pki/CA/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore City]:
Organization Name (eg, company) [Gurkulindia Company Ltd]:
Organizational Unit Name (eg, section) []:Gurkulindia
Common Name (eg, your name or your server’s hostname) []:gurkulrhelca
Email Address []:root@gurkulrhelca
 

Step 3 :  login to LDAP Server ( gurkulrhel1)  and create a key and certificate request to CA.

 
[root@gurkulrhel1 ~]# openssl req -new -nodes -keyout /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key  -out /etc/pki/tls/gurkulrhel1.gurkulindia.com.csr
Generating a 2048 bit RSA private key
……………………………………………………………………………………………..+++
………………………………………………………….+++
writing new private key to ‘/etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:Singapore
Locality Name (eg, city) [Default City]:Singapore
Organization Name (eg, company) [Default Company Ltd]:Gurkulindia
Organizational Unit Name (eg, section) []:LDAP
Common Name (eg, your name or your server’s hostname) []:gurkulrhel1  <== It should exactly match servername
Email Address []:root@gurkulrhel1
 
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@gurkulrhel1 ~]#
 
[root@gurkulrhel1 ~]# ls -l /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key
-rw-r–r– 1 root root 1704 Mar 29 19:50 /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key
 
[root@gurkulrhel1 ~]# ls -l /etc/pki/tls/gurkulrhel1.gurkulindia.com.csr
-rw-r–r– 1 root root 1062 Mar 29 19:50 /etc/pki/tls/gurkulrhel1.gurkulindia.com.csr
 
 

Step 4:  Now Copy   Certificate Request file ( gurkulrhel1.gurkulindia.com.csr)  TO CA Server ( gurkulrhelca) to create signed certificate ( gurkulrhel1.gurkulindia.com.crt)

 
 
[root@gurkulrhelca CA]#
[root@gurkulrhelca CA]# scp gurkulrhel1:/etc/pki/tls/gurkulrhel1.gurkulindia.com.csr    /etc/pki/tls/gurkulrhel1.gurkulindia.com.csr
root@gurkulrhel1’s password:
gurkulrhel1.gurkulindia.com.csr                                                           100% 1062     1.0KB/s   00:00
 
 
[root@gurkulrhelca CA]# openssl ca -policy policy_anything -out /etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt -infiles /etc/pki/tls/gurkulrhel1.gurkulindia.com.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 29 11:55:09 2013 GMT
            Not After : Mar 29 11:55:09 2014 GMT
        Subject:
            countryName               = SG
            stateOrProvinceName       = Singapore
            localityName              = Singapore
            organizationName          = Gurkulindia
            organizationalUnitName    = LDAP
            commonName                = gurkulrhel1
            emailAddress              = root@gurkulrhel1
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                0B:86:F7:44:4B:FE:2C:0D:9A:61:A4:55:92:93:1C:AB:36:BC:9F:D7
            X509v3 Authority Key Identifier:
                keyid:55:65:A1:19:AB:63:E4:27:D4:44:A3:03:98:F4:2E:D9:32:5F:7D:0E
 
Certificate is to be certified until Mar 29 11:55:09 2014 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
 
 
 

Step 5 : Now Copy the CA certificate (cacert.pem)  to the LDAP Server  and Verify 

 
>>> Download CA certificate from CA machine: 
 
[root@gurkulrhel1 ~]# scp gurkulrhelca:/etc/pki/CA/cacert.pem /etc/pki/tls/certs
root@gurkulrhelca’s password:
cacert.pem                                           100% 1505     1.5KB/s   00:00
 
Note : In RHEL 6.3 , the ldap TLS uses ” /etc/openlda/cacerts ” as default certification repository. Since i used “/etc/pki/tls/certs” as my certification repository in this post, i have customized ldap configuration to reflect the path. ( procedure discussed in the post : LDAP Configuration With Encrypted Communication using TLS ) 
 
>>> CA certificate file should only contain one certificate. To test it, use this command: 
 
[root@gurkulrhel1 ~]# cat /etc/pki/tls/certs/cacert.pem | grep ‘BEGIN.*CERTIFICATE’ | wc -l
1
 

Step 6:  OpenSSL looks up certificates by their hash. Generate hash for the CA certificate. 

 
[root@gurkulrhel1 ~]# openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem
539a37f4
 
>>>> The symlink should be placed in /etc/pki/tls/certs/ directory with the following format: 
 
[root@gurkulrhel1 ~]# HASH=$( openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem )
[root@gurkulrhel1 ~]# ln -s /etc/pki/tls/certs/cacert.pem /etc/pki/tls/certs/${HASH}.0
[root@gurkulrhel1 ~]# ls -l /etc/pki/tls/certs/
total 1212
lrwxrwxrwx  1 root root     29 Mar 29 20:00 539a37f4.0 -> /etc/pki/tls/certs/cacert.pem
-rw-r–r–. 1 root root 571410 Sep  2  2011 ca-bundle.crt
-rw-r–r–. 1 root root 651043 Sep  2  2011 ca-bundle.trust.crt
-rw-r–r–  1 root root   1505 Mar 29 20:00 cacert.pem
-rw——-. 1 root root   1188 Sep 27  2012 localhost.crt
-rwxr-xr-x  1 root root    610 Mar  5 06:12 make-dummy-cert
-rw-r–r–  1 root root   2242 Mar  5 06:12 Makefile
 
 

Step 7:  Now  copy the signed CA  Signed  LDAP Server Certificate ( gurkulrhel1.gurkulindia.com.crt ) to local certificate repository

 
[root@gurkulrhel1 ~]# scp gurkulrhelca:/etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt    /etc/pki/tls/certs
root@gurkulrhelca’s password:
gurkulrhel1.gurkulindia.com.crt                                      100% 4726     4.6KB/s   00:00
 

Step 8 :   Verify server certificate signed by CA. 

 
[root@gurkulrhel1 ~]# openssl verify    /etc/pki/tls/certsgurkulrhel1.gurkulindia.com.crt
/tmp/gurkulrhel1.gurkulindia.com.crt: OK
[root@gurkulrhel1 ~]#
 

Step 9 :  Make the Certificates and Keys ready for further LDAP Configuration discussed in the post  LDAP Configuration With Encrypted Communication using TLS

 

Get the below Two  files into  Ldap Server’s “/etc/pki/tls/certs/” directory

  1. Ldap Server key  – gurkulrhel1.gurkulindia.com.key 
  2. CA signed Certificate for ldap server  – gurkulrhel1.gurkulindia.com.crt

[root@gurkulrhel1 ~]# cp /etc/pki/tls/private/gurkulrhel1.gurkulindia.com.key /etc/pki/tls/certs/slapdkey.pem

[root@gurkulrhel1 ~]# scp gurkulrhelca:/etc/pki/CA/certs/gurkulrhel1.gurkulindia.com.crt /etc/pki/tls/certs/slapdcert.pem
root@gurkulrhelca’s password:
gurkulrhel1.gurkulindia.com.crt 100% 4726 4.6KB/s 00:00
[root@gurkulrhel1 ~]# ls -l /etc/pki/tls/certs/slapdkey.pem /etc/pki/tls/certs/slapdcert.pem
-rw-r–r– 1 root root 4726 Mar 29 21:30 /etc/pki/tls/certs/slapdcert.pem
-rw-r–r– 1 root root 1704 Mar 29 21:29 /etc/pki/tls/certs/slapdkey.pem

[root@gurkulrhel1 ~]# chown -Rf ldap:ldap /etc/pki/tls/certs/slapdcert.pem /etc/pki/tls/certs/slapdkey.pem
[root@gurkulrhel1 ~]# chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem

 

 We will discuss about  Actual LDAP implementation with encrypted communication in our next posts

 

How to Stay Close to Us ?

You can simply subscribe for our free email posts from here

 

You can always stay close to us by connecting in  Facebook,  LinkedIn , twitter and Google + social networks. We are also managing the unixbook as a writing space for  you.  And We have very active Facebook’s just-UNIX-no-noise group and   Linked in  Enterprise UNIX administration group, for active discussions.

We always love to hear your comments and feedback. 

 

 

 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

11 Responses

  1. Ramdev Ramdev says:

    Thanks Mr. Bhaskar.

  2. venu says:

         Hi I am getting below,Can you please help me 
         unable to open ‘/etc/pki/CA/index.txt’ 140141283018568:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(‘/etc/pki/CA/index.txt’,’r’) 140141283018568:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

    • Ramdev Ramdev says:

      Hi Venu, all that error says that index.txt file missing. you can just run below commands before you rerun openssl command.

      #touch /etc/pki/CA/index.txt
      # echo ‘1000’ > /etc/pki/CA/serial

  3. albert says:

    Have you ever thought about adding a little bit more than just your
    articles? I mean, what you say is important and everything.
    But think about if you added some great visuals or video clips to give your posts
    more, “pop”! Your content is excellent but with pics and videos, this blog could definitely be one of the greatest in its field.
    Good blog!

  4. snehal says:

    Hi,  

    Can anyone tell me the steps, how to connect or troubleshoot Sun model SUN FIRE 280R via console? I am new to sun solaris and my sun box not responding remotely but pinging.

  5. venu says:

    Thanks, Ramdev ….It’s working fine ..

  6. Ramdev Ramdev says:

    Venu, glad to know that worked.

  7. Kman says:

    Your guide really needs syntax checking and formatting

  8. RAJESH says:

    Your guide is very useful.Really nice blog

  1. July 22, 2016

    […] Read – LDAP-Part 2 : Configuration of Certification Authority for LDAP encryption in RHEL 6.3 […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us