LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-01-2010, 07:57 PM   #1
cipherus
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Rep: Reputation: 0
Trusted CA


I'm trying to make certificates for openldap but it is so picky about the certificate to establish an ssh connection (it must be guaranteed by a trusted signing authority e.g. VeriSign). But I'm doing this for my home network, so why should I pay (or even use one of the free) vendors of trust on the internet?

It seems I have to install my CA on all client machines which will attempt to make an ldap+ssl call to the server. Does this sound right?

Also, is this too much a pain in the ass? Are the free trusted CA's a better choice?
 
Old 01-01-2010, 08:18 PM   #2
GooseYArd
Member
 
Registered: Jul 2009
Location: Reston, VA
Distribution: Slackware, Ubuntu, RHEL
Posts: 183

Rep: Reputation: 46
For home use, creating your own CA is the way to go. There's an excellent howto at:

http://sial.org/howto/openssl/ca/

and

http://sial.org/howto/openssl/csr/


Use the CA howto to create a root cert, then use the csr howto to generate a csr and sign yourself a cert. You can then configure openldap to use your own root cert, then just add and trust that root cert on your home machines. It's a bit of a nuisance having to import your ca cert, but hey, its cheap
 
Old 01-02-2010, 11:54 AM   #3
cipherus
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
These are great tutorials by the way, thank you. The problem I am having though is that I don't know where add my generated certs on client machines and enable them into the trusted list. The openldap cli tools are just failing when connecting to something that's not already fully trusted.

Unlike when using a browser there is no way to meet an untrusted cert and then say "yes accept this for [this session / forever]".

But I can use `openssl s_client -connect myserver:636 -showcerts` to see that the port is serving with the certificate I made.

EDIT:
-----
If you:
echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf

Then your ldap-utils on client machines will ignore certificate errors. Easy but less than optimal fix (no longer guaranteeing trust, defeating the purpose of using a certificate).

Last edited by cipherus; 01-02-2010 at 01:10 PM.
 
Old 01-02-2010, 01:43 PM   #4
GooseYArd
Member
 
Registered: Jul 2009
Location: Reston, VA
Distribution: Slackware, Ubuntu, RHEL
Posts: 183

Rep: Reputation: 46
ah I see, I always have a hard time remembering how to do this-

depending on how your openssl is compiled, you'll have a directory, probably /etc/ssl (check with http://gagravarr.org/writing/openssl-certs/others.shtml)

in that directory you do something like:

ln -s ~/my_ca.crt `openssl x509 -hash -noout -in my_ca.crt`.0

or you can just copy ~/my_ca.crt to the file name that openssl x509 -hash generates for you.

There's also a way you can configure your own certs directory, I think via openssl.cnf. You may have to set like OPENSSL_CONF=/home/whoever/.openss.cnf. (double check that env variable name, but I think thats right)
 
Old 01-05-2010, 08:15 AM   #5
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 602

Rep: Reputation: 49
And while we are at it, there's a very nice GUI CA called gnoMint - http://gnomint.sourceforge.net/ in case it suits you better to handle issuing of certificates via a GUI than CLI.
 
Old 01-06-2010, 07:37 PM   #6
cipherus
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Awesome software! Thanks to you, sir.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Trusted Solaris? as400 Solaris / OpenSolaris 4 05-01-2006 06:10 AM
trusted servers dabash Linux - Networking 4 02-22-2005 12:37 AM
trusted user uerden Linux - Security 1 02-16-2004 04:52 PM
trusted connections dominant Linux - Security 2 02-02-2004 06:07 PM
trusted computing tincat2 General 13 12-06-2003 06:15 AM


All times are GMT -5. The time now is 01:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration