I'm trying to make certificates for openldap but it is so picky about the certificate to establish an ssh connection (it must be guaranteed by a trusted signing authority e.g. VeriSign). But I'm doing this for my home network, so why should I pay (or even use one of the free) vendors of trust on the internet?

It seems I have to install my CA on all client machines which will attempt to make an ldap+ssl call to the server. Does this sound right?

Also, is this too much a pain in the ass? Are the free trusted CA's a better choice?

For home use, creating your own CA is the way to go. There's an excellent howto at:

http://sial.org/howto/openssl/ca/

and

http://sial.org/howto/openssl/csr/


Use the CA howto to create a root cert, then use the csr howto to generate a csr and sign yourself a cert. You can then configure openldap to use your own root cert, then just add and trust that root cert on your home machines. It's a bit of a nuisance having to import your ca cert, but hey, its cheap

These are great tutorials by the way, thank you. The problem I am having though is that I don't know where add my generated certs on client machines and enable them into the trusted list. The openldap cli tools are just failing when connecting to something that's not already fully trusted.

Unlike when using a browser there is no way to meet an untrusted cert and then say "yes accept this for [this session / forever]".

But I can use `openssl s_client -connect myserver:636 -showcerts` to see that the port is serving with the certificate I made.

EDIT:
-----
If you:
echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf

Then your ldap-utils on client machines will ignore certificate errors. Easy but less than optimal fix (no longer guaranteeing trust, defeating the purpose of using a certificate).

ah I see, I always have a hard time remembering how to do this-

depending on how your openssl is compiled, you'll have a directory, probably /etc/ssl (check with http://gagravarr.org/writing/openssl-certs/others.shtml)

in that directory you do something like:

ln -s ~/my_ca.crt `openssl x509 -hash -noout -in my_ca.crt`.0

or you can just copy ~/my_ca.crt to the file name that openssl x509 -hash generates for you.

There's also a way you can configure your own certs directory, I think via openssl.cnf. You may have to set like OPENSSL_CONF=/home/whoever/.openss.cnf. (double check that env variable name, but I think thats right)

And while we are at it, there's a very nice GUI CA called gnoMint - http://gnomint.sourceforge.net/ in case it suits you better to handle issuing of certificates via a GUI than CLI.

Awesome software! Thanks to you, sir.