This is specifically for FreeBSD, but should work fine for other Nixes. It's been tested and verified to work, so if not, something else is wrong. One of 10001 possibilities. Check paths and perms first.
Typically used for LDAP, slapd and TLS setups. Will also work for Apache mod_ssl setups.
# openssl genrsa -rand -genkey -out cert.key 20480 semi-random bytes loadedGenerating RSA private key, 2048 bit long modulus.............................................+++.................................................................................................................+++e is 65537 (0x10001)
Use this key to create a self-signed certificate.Follow the usual prompts for creating a certificate: (+10 years valid in this case - the days default to 365 usually)
The common name provided MUST be the FQDN of the server, or in case of a desktop, an IP address will suffice, or an email address of the user
# openssl req -new -x509 -days 4000 -key cert.key -out cert.crt -sha256You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:ZAState or Province Name (full name) [Some-State]:GTLocality Name (eg, city) []:PretoriaOrganization Name (eg, company) [Internet Widgits Pty Ltd]:UPOrganizational Unit Name (eg, section) []:Sysadmin CBCBCommon Name (e.g. server FQDN or YOUR name) []:auth.bi.up.ac.zaEmail Address []:johann.swart@up.ac.za
Obviously these files (.crt and .key) MUST be placed in the correct directory.
On FreeBSD its usually in /usr/local/etc/openldap.
A good place for Linux is at /etc/openldap/cacerts. Create it if it does not exist, and edit the ALL config files to point there.
