Specifications

Chapter 9 Maintaining Open Directory Services 191

To create an Open Directory service certicate:

1 Generate a private key for the server in the /usr/share/certs/ folder:

If the /usr/share/certs folder does not exist, create it.

$ sudo openssl genrsa -out ldapserver.key 2048

2 Generate a certicate signing request (CSR) for the certicate authority (CA) to sign:

$ sudo openssl req -new -key ldapserver.key -out ldapserver.csr

3 Fill out the following elds as completely as possible, making certain that the Common

Name eld matches the domain name of the LDAP server exactly, and leaving the

challenge password and optional company name blank:

Country Name:

State or Province Name:

Locality Name (city):

Organization Name:

Organizational Unit Name:

Common Name:

Email Address:

4 Sign the ldapserver.csr request with the openssl command.

$ sudo openssl ca -in ldapserver.csr -out ldapserver.crt

5 When prompted, enter the CA passphrase to continue and complete the process.

The certicate les needed to enable SSL on the LDAP server are now in the /usr/

share/certs/ folder.

6 Open Server Admin and connect to the Open Directory master or an Open Directory

replica server.

7 Click the triangle at the left of the server.

The list of services appears.

8 From the expanded Servers list, select Open Directory.

9 Click Settings, then click LDAP.

10 Select the Enable SSL checkbox.

11 Use the Certicate pop-up menu to choose an SSL certicate that you want LDAP

service to use.

The menu lists all SSL certicates that have been installed on the server. To use a

certicate not listed, choose Manage Certicates from the pop-up menu. For more

information about certicates, see Advanced Server Administration.

12 Click Save.