Obtaining a Certificate for OpenLDAP

Send an e-mail to the SensorNetCA (romeja@ornl.gov) requesting a Tomcat certificate. The e-mail should contain:

When your request is approved, I will send you an e-mail with a link for you to pick up your certificate.

OpenLDAP requires PEM keys, so you should choose a PEM file when you get the certificate. The resulting PEM file actually contains three items:

If you look at the file (I called it ldap.pem) you will see:

Bag Attributes
friendlyName: ldap.sensornet.gov
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkaoiejlkxjda8HkoHyiIzMTIwWhcNMTAxMjIyMTY0MTIwWjCB
. . .
zrqk9dUogKOBPc0=
-----END PRIVATE KEY-----
Bag Attributes
friendlyName: ldap.sensornet.gov
subject=/E=jar@ornl.gov/UID=ORNL-ldap/CN=ldap.sensornet.gov/SURNAME=ldap.sensornet.gov/T=Server/OU=SensorNet/O=Oak Ridge National Laboratory/L=Oak Ridge/ST=TN/C=US
issuer=/CN=SensorNetCA/DC=sensornet/DC=gov
-----BEGIN CERTIFICATE-----
MIIEzzCCA7egAwIBAgIIQtakRK/6fRAwDQYJKoZIhvcNAQEFBQAwRjEUMBIGA1UE
. . .
aUgze7N7OXu3HhttxkX0YDiLA0L4SyrtyYlbo8Cu+XYIZaM=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: SensorNetCA
subject=/CN=SensorNetCA/DC=sensornet/DC=gov
issuer=/CN=SensorNetCA/DC=sensornet/DC=gov
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgIINrFilyCRqvgwDQYJKoZIhvcNAQEFBQAwRjEUMBIGA1UE
. . .
Ua5i8dgCFEqNnVJutU22Z2Ad6T/u
-----END CERTIFICATE-----

You will need to use a text editor to split this file into three parts starting with the line

-----BEGIN CERTIFICATE (or PRIVATE KEY)-----

and ending with the line

-----END CERTIFICATE (or PRIVATE KEY)-----

Your /etc/openldap/slapd file should have lines like:

# TLS options for slapd
# Use SSL
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateKeyFile /etc/openldap/keys/ldap.sensornet.gov-Key.pem
TLSCertificateFile /etc/openldap/keys/ldap.sensornet.gov.pem
TLSCACertificateFile /etc/openldap/keys/ldap.sensornet.gov-CA.pem

This is the order the certificates appear in the PEM file. Extract them with the appropriate names and save them in /etc/openldap/keys.

The private key in the SensorNetCA PEM files is unencrypted. You want it unencrypted for your LDAP server. However, if you need to encrypt it do:

openssl rsa -in "ldap.sensornet.gov-KeyUnEnc.pem" -des3 -out "ldap.sensornet.gov-Key.pem"
 

But actually, you need to have the key unencrypted.

To hash the root password do:

$ /usr/sbin/slappasswd
New password:
Re-enter new password:
{SSHA}nRJ7Y0ur_Hash1QsFcL