How To Create an OpenSSL Certificate Authority (CA) for OpenLDAP

Recently I need to create an OpenSSL Certificate Authority (CA) to implement SSL connections across multiple systems for OpenLDAP.  I had read through the FreeBSD Handbook on how to do it, but I quickly found out that it only got you 75% of the way there, and then left me hanging when it didn’t work.  Here’s my notes on how I got it to work on FreeBSD 8.2:

First Created the root CA Key and the Certificate

cd /usr/ssl
openssl genrsa -out root.key 1024
openssl req -new -key root.key -out root.csr
touch && echo 01 >
openssl x509 -req -days 1024 -in root.csr -signkey root.key -out root.crt

Next you’ll want to protect your key to prevent people from stealing it:

chmod 600 root.key

Next, to sign you newly created certificates using your new CA (which I created using the steps above), do the following to sign it:

openssl x509 -req -days 1024 -in ldap-server-one.csr -CA root.crt -CAkey root.key -in ldap-server-one.csr -CA root.crt -CAkey root.key

For clients to trust all of your servers in the cluster, distribute root.crt (not the key!), and specify it on the TLSCACertificateFile directive in ldap.conf

This entry was posted in OpenSSL and tagged , , , , , . Bookmark the permalink.

Comments are closed.