The solution
We’ll be using OpenSSL to generate all of our certificates.
Step 1: Root SSL certificate
The first step is to create a Root Secure Sockets Layer (SSL) certificate. This root certificate can then be used to sign any number of certificates you might generate for individual domains.
Generate a RSA-2048 key and save it to a file rootCA.key. This file will be used as the key to generate the Root SSL certificate. You will be prompted for a pass phrase which you’ll need to enter each time you use this particular key to generate a certificate.
openssl genrsa -des3 -out rootCA.key 2048
- To remove passphrase from private key
openssl rsa -in rootCA.key -out rootCA.key
You can use the key you generated to create a new Root SSL certificate. Save it to a file namedrootCA.pem. This certificate will have a validity of 1,024 days. Feel free to change it to any number of days you want. You’ll also be prompted for other optional information.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Step 2: Domain SSL certificate
The root SSL certificate can now be used to issue a certificate specifically for your local development environment located at localhost.
Create file server.csr.cnf so you can import these settings when creating a certificate instead of entering them on the command line.
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=RandomOrganizationUnit
emailAddress=hello@example.com
CN = localhost
Create v3.ext file in order to create a X509 v3 certificate.
Notice how we’re specifying subjectAltName here.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Create a certificate key for localhost using the configuration settings stored in server.csr.cnf
This key is stored in server.key
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
A certificate signing request is issued via the root SSL certificate we created earlier to create a domain certificate for localhost. The output is a certificate file called server.crt
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
Configure LDAP Server.
cp /etc/ssl/private/server.key /etc/ldap/sasl2/
cp /etc/ssl/private/server.crt /etc/ldap/sasl2/
cp /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/
Permissions
chown openldap. /etc/ldap/sasl2/*
Create /root/mod_ssl.ldif
nano mod_ssl.ldif
Content
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/server.key
Input ldapmodify:
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
Output:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Changes in /etc/default/slapd file
nano /etc/default/slapd
Change SLAPD_SERVICES to
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Restart
systemctl restart slapd
In /etc/ldap/ldap.conf file, add:
TLS_REQCERT allow
Step 2: Trust the root SSL certificate
Before you can use the newly created Root SSL certificate to start issuing domain certificates, there’s one more step. You need to to tell your Mac to trust your root certificate so all individual certificates issued by it are also trusted.