Send an e-mail to the SensorNetCA (romeja@ornl.gov) requesting a Tomcat certificate. The e-mail should contain:
When your request is approved, I will send you an e-mail with a link for you to pick up your certificate.
OpenLDAP requires PEM keys, so you should choose a PEM file when you get the certificate. The resulting PEM file actually contains three items:
If you look at the file (I called it ldap.pem) you will see:
Bag Attributes
friendlyName: ldap.sensornet.gov
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkaoiejlkxjda8HkoHyiIzMTIwWhcNMTAxMjIyMTY0MTIwWjCB
. . .
zrqk9dUogKOBPc0=
-----END PRIVATE KEY-----
Bag Attributes
friendlyName: ldap.sensornet.gov
subject=/E=jar@ornl.gov/UID=ORNL-ldap/CN=ldap.sensornet.gov/SURNAME=ldap.sensornet.gov/T=Server/OU=SensorNet/O=Oak Ridge National Laboratory/L=Oak Ridge/ST=TN/C=US
issuer=/CN=SensorNetCA/DC=sensornet/DC=gov
-----BEGIN CERTIFICATE-----
MIIEzzCCA7egAwIBAgIIQtakRK/6fRAwDQYJKoZIhvcNAQEFBQAwRjEUMBIGA1UE
. . .
aUgze7N7OXu3HhttxkX0YDiLA0L4SyrtyYlbo8Cu+XYIZaM=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: SensorNetCA
subject=/CN=SensorNetCA/DC=sensornet/DC=gov
issuer=/CN=SensorNetCA/DC=sensornet/DC=gov
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgIINrFilyCRqvgwDQYJKoZIhvcNAQEFBQAwRjEUMBIGA1UE
. . .
Ua5i8dgCFEqNnVJutU22Z2Ad6T/u
-----END CERTIFICATE-----
You will need to use a text editor to split this file into three parts starting with the line
-----BEGIN CERTIFICATE (or PRIVATE KEY)-----
and ending with the line
-----END CERTIFICATE (or PRIVATE KEY)-----
Your /etc/openldap/slapd file should have lines like:
# TLS options for slapd
# Use SSL
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateKeyFile /etc/openldap/keys/ldap.sensornet.gov-Key.pem
TLSCertificateFile /etc/openldap/keys/ldap.sensornet.gov.pem
TLSCACertificateFile /etc/openldap/keys/ldap.sensornet.gov-CA.pem
This is the order the certificates appear in the PEM file. Extract them with the appropriate names and save them in /etc/openldap/keys.
The private key in the SensorNetCA PEM files is unencrypted. You want it unencrypted for your LDAP server. However, if you need to encrypt it do:
openssl rsa -in "ldap.sensornet.gov-KeyUnEnc.pem" -des3 -out "ldap.sensornet.gov-Key.pem"
But actually, you need to have the key unencrypted.
To hash the root password do:
$ /usr/sbin/slappasswd New password: Re-enter new password: {SSHA}nRJ7Y0ur_Hash1QsFcL