实验环境。virtualbox虚拟机。rhel5.5的系统。
[root@mail ~]# yum -y install openldap*
[root@mail ~]# chkconfig ldap on
[root@mail ~]# slappasswd -h {md5} > kl
New password:
Re-enter new password:
[root@mail ~]# cat kl
{MD5}4nmK8Sp6D09wtNae+8JfTQ==
[root@mail ~]# vim /etc/openldap/slapd.conf
[root@mail ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@mail ~]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@mail ~]# chown -R ldap.ldap /var/lib/ldap/ 后来针对目录改变所有者和所属组解决了签署证书报错的问题
[root@mail ~]# cd /usr/share/openldap/migration/
[root@mail migration]# vim migrate_common.ph
[root@mail migration]# ./migrate_base.pl > base.ldif
[root@mail migration]# ldapadd -x -D "cn=root,dc=rhel5,dc=com" -W -f base.ldif
[root@mail migration]# ./migrate_passwd.pl /etc/passwd passwd.ldif
[root@mail migration]# ldapadd -x -D "cn=root,dc=rhel5,dc=com" -W -f passwd.ldif
[root@mail migration]# ./migrate_group.pl /etc/group group.ldif
[root@mail migration]# ldapadd -x -D "cn=root,dc=rhel5,dc=com" -W -f group.ldif
[root@mail migration]# openssl req -new -nodes -subj '/CN=mail.rhel5.com/O=hd/C=CN/ST=sh/L=yp'
Generating a 1024 bit RSA private key
.............++++++
....................++++++
writing new private key to 'privkey.pem'
-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBjDCB9gIBADBNMRcwFQYDVQQDEw5tYWlsLnJoZWw1LmNvbTEL
MAkGA1UEChMC
aGQxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJzaDELMAkGA1UEBx
MCeXAwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJfCZ
+x44gnNVvdkl30zLWSO2yG7lGR9IKE7
xrwm/PERSyaT+Qod669VsKNrJ0AKXPajfmdwFFdkOov/TL3Kb0+eQn
+FYrHesz/N
GSeNOfhW/IiyHJw7JdKsCrClU4Kofj
+8gQHJhVEjy8WM58hmZgp6p5G1tUXPv14i
+0xljVhTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBuP4/
+Hz4WLceNpGK5bDEG
goRHvIq
+zvUe5M29/ER21G3pQSVOiSDUyOlulSYlXTP4/fYS8FWv0fnR54phiaX0
yBXmZlRTS2ftW2r4a
+bhvtqGUd0QYQZusILnxrYQwOuTWNnQBhKmnwgNaIB46gwJ
SE3DBaKnhAxOeU6oPiOJRg==
[root@mail migration]# openssl ca -out newcert.pem -infiles
privkey.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Error reading certificate request in privkey.pem
3598:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: CERTIFICATE REQUEST
-----END CERTIFICATE REQUEST-----
问题出现了。解决办法:
[root@mail ~]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@mail ~]# chown -R ldap.ldap /var/lib/ldap/ 针对目录改变所有者和所属组解决了签署证书报错的问题。
上面建立user和group数据库的步骤一样不变。
还有目录要切换到/etc/pki来创建新证书。
[root@mail pki]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
....++++++
.................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:sh
Locality Name (eg, city) [Newbury]:yp
Organization Name (eg, company) [My Company Ltd]:hd
Organizational Unit Name (eg, section) []:500
Common Name (eg, your name or your server's hostname) []:mail.rhel5.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:redhat
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 19 05:18:05 2012 GMT
Not After : Apr 19 05:18:06 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = sh
organizationName = hd
organizationalUnitName = 500
commonName = mail.rhel5.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
91:CD:B8:9B:E6:A4:82:59:5B:EC:49:9E:98:A2:E3:20:CF:B6:E2:D6
X509v3 Authority Key Identifier:
keyid:91:CD:B8:9B:E6:A4:82:59:5B:EC:49:9E:98:A2:E3:20:CF:B6:E2:D6
Certificate is to be certified until Apr 19 05:18:06 2015 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@mail pki]# openssl req -new -nodes -subj '/CN=mail.rhel5.com/O=hd/C=CN/ST=sh/L=yp' -keyout newreq.pem -out newreq.pem -days 365
Generating a 1024 bit RSA private key
..............++++++
.........++++++
writing new private key to 'newreq.pem'
-----
[root@mail pki]#
[root@mail pki]# openssl ca -out newcert.pem -infiles newreq.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 19 05:20:21 2012 GMT
Not After : Apr 19 05:20:21 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = sh
organizationName = hd
commonName = mail.rhel5.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:C7:37:39:29:CD:B8:93:C8:7C:C2:88:76:7E:C4:5B:BA:31:D1:1C
X509v3 Authority Key Identifier:
keyid:91:CD:B8:9B:E6:A4:82:59:5B:EC:49:9E:98:A2:E3:20:CF:B6:E2:D6
Certificate is to be certified until Apr 19 05:20:21 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated