碼上快樂

相關內容    簡體    繁體

LDAP學習筆記之三:389-DS(RHDS) 之TLS配置

本文轉載自   查看原文   2022-03-23 23:31   801 

一、生成CA證書

這里CA服務器和server是同一台機器,如果不是同一台機器注意兩台機器的時區及時間是否一致

[root@ldap-server1 ~]# cd /etc/pki/CA/
[root@ldap-server1 CA]# echo "01" > /etc/pki/CA/serial
[root@ldap-server1 CA]# touch /etc/pki/CA/index.txt
[root@ldap-server1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
...............................................+++
e is 65537 (0x10001)
[root@ldap-server1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 # openssl req -new -x509 -subj "/C=CN/ST=ShangHai/L=ShangHai/O=IT/OU=IT/CN=ldap-server1.example.com" -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:IT
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:admin@example.com

二、生成服務器請求證書,389或在RHDS必須在控制台中創建,openLDAP命令行創建

1.點擊Manage Certificates

 2.首次點擊時會提示輸入一個安全密碼,務必記住此密碼

3. 創建server端請求證書

 4.繼續下一步

5.生成請求證書相關內容,點下一步

 6.默認即可

 7.輸入安全密碼

8.生成請求證書並保存

 9.完成請求證書的創建

 三、CA簽署服務端請求證書

[root@ldap-server1 CA]# pwd
/etc/pki/CA
[root@ldap-server1 CA]# cp /root/server.csr .
[root@ldap-server1 CA]# openssl ca -in server.csr -out server.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 23 14:54:33 2022 GMT
            Not After : Mar 20 14:54:33 2032 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShangHai
            localityName              = ShangHai
            organizationName          = dewu
            organizationalUnitName    = Tech
            commonName                = ldap-server1.example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E1:32:96:1F:9F:3B:0A:53:53:6E:46:7B:C4:43:01:D4:5D:4C:70:BE
            X509v3 Authority Key Identifier: 
                keyid:74:93:DF:5C:C3:A6:49:B2:CB:2A:AA:05:9C:FE:27:3F:69:C2:B9:89

Certificate is to be certified until Mar 20 14:54:33 2032 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated 

可能遇見的問題:

The stateOrProvinceName field needed to be the same in the
CA certificate (ShangHai) and the request (ShangHai) 

原因

1.CA默認使用policy_match策略,要求請求證書和CA證書 countryName stateOrProvinceName organizationName三個字段保持一致,如果不一致會報錯
2.當上面三個字段保持一致時,請求證書和CA證書編碼不一致時也會報錯,CA編碼為utf8only  

解決方法

[root@ldap-server1 CA]# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf-bak
[root@ldap-server1 CA]# vim /etc/pki/tls/openssl.cnf #將策略修改為policy_anything
 81 #policy         = policy_match
 82 policy          = policy_anything 

四、導入服務端及CA證書

1.導入服務端證書

 

 

 

 

 

 

 2.導入CA證書

 

 

 

 五、啟用TLS

控制台啟用

提示需要重啟服務

 重啟服務

[root@ldap-server1 CA]# systemctl restart dirsrv.target  
Enter PIN for Internal (Software) Token: **********   #注意,啟用TLS后每次重啟都需要輸入證書管理時設置的密碼

 六、驗證

[root@ldap-server1 CA]# ldapsearch -ZZ -x  #-Z是使用TLS請求,-ZZ是強制使用TLS
ldap_start_tls: Connect error (-11)
	additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)
[root@ldap-server1 CA]# vim /etc/openldap/ldap.conf  #配置客戶端使用證書
TLS_CACERT /etc/openldap/certs/cacert.pem
[root@ldap-server1 CA]# cp /etc/pki/CA/cacert.pem /etc/openldap/certs/ #拷貝CA證書到指定位置
[root@ldap-server1 CA]# ldapsearch -ZZ -x 

七、其他

1.如果我們在控制台添加了server證書,忘記添加CA證書,並且啟用了TSL,那么服務就無法啟動了,這時候就需要修改配置文件

配置文件:

[root@ldap-server1 ~]#  grep -n  "nsslapd-security" /etc/dirsrv/slapd-server1/dse.ldif
51:nsslapd-security: on   #將on修改為off重啟服務即可

2.解決添加TLS后每次重啟都輸入密碼的問題

[root@ldap-server1 ~]# echo 'Internal (Software) Token:admin12345'  > /etc/dirsrv/slapd-server1/pin.txt
[root@ldap-server1 ~]# chmod 600  /etc/dirsrv/slapd-server1/pin.txt

3.控制台導入證書有一定幾率會失敗,這是就要使用certutil工具命令行導入了 

[root@ldap-server1 ~]# certutil -d /etc/dirsrv/slapd-ldap-server1/ -A -i ca.crt -n CA_CERT  -t CT,CT,CT    #-d 數據目錄 -A 追加 -i指定證書 -n給證書設置一個名稱 -t 固定寫法
[root@ldap-server1 ~]# certutil -d /etc/dirsrv/slapd-ldap-server1/ -A -i ldap-server1.example.com.crt -n SERVE_CERT -t u,u,u

  


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 LDAP學習筆記之一:Centos7安裝389-DS(RHDS) LDAP學習筆記之二:389-DS(RHDS) 增刪改查基本操作 LDAP系列(二)配置LDAP啟動TLS LDAP學習筆記總結 【LDAP學習】OpenLDAP學習筆記 DS證據理論_學習筆記 [學習筆記]pb_ds庫 LDAP學習筆記之四:NIS簡解 LDAP學習筆記之八:openLDAP sudo權限 bootstrap學習筆記之三(組件的使用)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM