# OpenSSL Certificates for LDAP



## recyclable (Nov 22, 2018)

Hi there,

I'm currently going over the setup of an openldap server and I can't get through the certificates' creation.  The site / steps I'm following is https://www.freebsd.org/doc/en/articles/ldap-auth/ssl-ca.html. In there the first part is fine :

% *openssl genrsa -out root.key 1024*
% *openssl req -new -key root.key -out root.csr*
% *openssl x509 -req -days 1024 -in root.csr -signkey root.key -out root.crt*

The part, that I'm struggling with is: 

```
Next, using the first two steps above create a key ldap-server-one.key and certificate signing request ldap-server-one.csr. Once you sign the signing request with root.key, you will be able to use ldap-server-one.* on your LDAP servers.
```

Now , 

1. Why do we create a ldap-server-one.key, when it's not used ( the certificate that is being created along the way is not being signed with this key ) ?

and my main problem:
2. When I do 


```
openssl x509 -req -days 1024 -in ldap-server-one.csr -CA root.crt -CAkey root.key -out ldap-server-one.crt
```

then the error comes up, that I don't understand. 

Below the steps that I've done once again. 


```
freebsd ~/ca]# openssl genrsa -out root.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
........................................++++++
e is 65537 (0x10001)
[root@freebsd ~/ca]# openssl req -new -key root.key -out root.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:DS
Locality Name (eg, city) []:Warsaw
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Giga
Organizational Unit Name (eg, section) []:TSE
Common Name (e.g. server FQDN or YOUR name) []:freebsd.giga.loc
Email Address []:info@giga.loc

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@freebsd ~/ca]# openssl x509 -req -days 1024 -in root.csr -signkey root.key -out root.crt
Signature ok
subject=/C=PL/ST=DS/L=Warsaw/O=Giga/OU=TSE/CN=freebsd.giga.loc/emailAddress=info@giga.loc
Getting Private key
[root@freebsd ~/ca]# openssl genrsa -out ldap-server-one.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
.++++++
e is 65537 (0x10001)
[root@freebsd ~/ca]# openssl req -new -key ldap-server-one.key -out ldap-server-one.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:DS
Locality Name (eg, city) []:Warsaw
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Giga
Organizational Unit Name (eg, section) []:TSE
Common Name (e.g. server FQDN or YOUR name) []:freebsd.giga.loc
Email Address []:info@giga.loc

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@freebsd ~/ca]# openssl x509 -req -days 1024 -in ldap-server-one.csr -CA root.crt -CAkey root.key -out ldap-server-one.crt
Signature ok
subject=/C=PL/ST=DS/L=Warsaw/O=Giga/OU=TSE/CN=freebsd.giga.loc/emailAddress=info@giga.loc
Getting CA Private Key
root.srl: No such file or directory
34380880456:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:/usr/src/crypto/openssl/crypto/evp/p_lib.c:137:
34380880456:error:02001002:system library:fopen:No such file or directory:/usr/src/crypto/openssl/crypto/bio/bss_file.c:406:fopen('root.srl','r')
34380880456:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/crypto/openssl/crypto/bio/bss_file.c:408:
[root@freebsd ~/ca]#
```

Can anyone real quick go over this on her/his side and see if she/he gets the same error, or help me otherwise with a bit of an advise, please? 

Regards
rec


----------



## ShelLuser (Nov 22, 2018)

recyclable said:


> The part, that I'm struggling with is:
> 
> ```
> Next, using the first two steps above create a key ldap-server-one.key and certificate signing request ldap-server-one.csr. Once you sign the signing request with root.key, you will be able to use ldap-server-one.* on your LDAP servers.
> ...


Because this will be the certificate/key combination used by LDAP server itself, this is also why the article referred to openssl(1).

When using OpenSSL like this it is important to understand the public key principle and the way it's used within "public encryption schemes" such as these. In short: while you can set up a private & public key combination (the certificate being the public key) this doesn't give a client any means to check the validity of this key combination. That's where the Root CA (Certificate Authority) comes in; a public key which is ultimately trusted by the system. When that key is used to sign a 3rd party key then any system which already trusts the Root CA will also immediately trust the 3rd party key combination because of that signature.

That is also happening in the article. First you create a so called self-signed certificate which acts as a Root CA, then you use that key combination to sign the newly created key in order to 'validate' it for any clients.



recyclable said:


> 2. When I do
> 
> ```
> openssl x509 -req -days 1024 -in ldap-server-one.csr -CA root.crt -CAkey root.key -out ldap-server-one.crt
> ...


What FreeBSD version are you using?


----------



## ShelLuser (Nov 22, 2018)

Problem solved. Meh, I'm getting rusty, overlooked the serial at first 

Next time please don't dump _all_ the output but only the error message. At most a few lines above and beyond (3 - 5) but not such a large blob because it makes it harder to find and spot all the details.

Anyway, the documentation is incomplete (I can't tell if it's plain out wrong or simply outdated). You need to use the -CAcreateserial parameter with that last OpenSSL command, then it won't complain about root.srl but simply creates it.

Whenever OpenSSL, used within a CA structure, signs a new certificate then it also keeps track of those certificates and raises the serial number by one:


```
peter@zefiris:/opt/ssl/certificates/code $ ls
certs/                  index.txt.attr          serial
codesign.cnf            index.txt.attr.old      serial.old
crl/                    index.txt.old
index.txt               newcerts/
peter@zefiris:/opt/ssl/certificates/code $ ls certs/ | wc  -l
       2
peter@zefiris:/opt/ssl/certificates/code $ cat serial
03
peter@zefiris:/opt/ssl/certificates/code $ cat index.txt
V       170502034823Z           01      unknown /C=NL/L=MyCity/O=mydomain.org/OU=Development/CN=myname
V       200229082454Z           02      unknown /C=NL/L=xxx/O=xxx.org/OU=VBA development/CN=xxxx
```
This will prevent creating dupes whenever the same party requests another certificate. At the very least the serial number will be different. But to keep track of that it has to store this, and that's where either openssl.cnf comes into play or, in your case, -CAcreateserial which simply enforces this creation.

I'll see if I can sent in a bug report to get that documentation fixed.


----------



## recyclable (Nov 23, 2018)

Nice catch. Thanks a lot. Respect. ps. case closed.


----------

