Create a self-signed SSL certificate with a single command
This doesn’t have to be complicated at all. This was what I did on my ldap servers:
[user@ldap-primary /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-primary.pem -keyout ldap-primary.pem -days 3650
[user@ldap-slave1 /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-slave1.pem -keyout ldap-slave1.pem -days 3650
That’s it! No messing with the CA.pl script or running multiple openssl commands for requests, signings, password stripping, and catting keys/crts together. I tested my LDAP implementation like this and it worked like a charm. Having a copy of both certificates located at /etc/openldap/cacerts/ on both machines worked for me. When I set up clients, I put the certs in their cacerts directory and they work just fine with start tls. If you’re doing this for an openldap implementation, you can make sure it’s working using “ldapsearch -x -ZZ” which requires your encryption to work.