Friday, May 1, 2009

Creating certificates for ldaps on windows 2003 server using openssl CA

/usr/lib/ssl/misc/ -newca
(Set a password for the CA)

/usr/lib/ssl/misc/ -newreq
(Set a password for the key for this cert)

/usr/lib/ssl/misc/ -sign
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out keyandcert.p12
(Consolidate key and cert into single file, protect with 'import password')

Then test cert is valid with:

openssl pkcs12 -in keyandcert.p12 -noout -info

Import CA cert:

  • Start | Run | mmc
  • Add snap-in Certificates
  • Right click on Trusted Root Certificates | All tasks | Import | Choose the CA certificate: demoCA/cacert.pem | Choose Trusted Root CA store
  • Find the certificate in the Trusted Root CA store | Right click | Properties | Enable only the following: untick everything except Server Authentication and Client Authentication

Import server cert:

  • Right click on Personal Certificates | All tasks | Import | Choose the server certificate: keyandcert.p12 | Enter private key password, mark as exportable | Choose Personal store
  • Find the certificate in Peronal store | Dbl click | Ensure the certificate dates are correct and the phrase "You have a private key that corresponds to this certificate" is present on the General tab.

Test with python (install the CA cert in a directory first):

import ldap
l = ldap.initialize("ldap://")

This should return successfully. If not, turn up the schannel logging level on the windows box by setting the eventlogging key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging = 0x4

Then re-try the python code. You should see the following events from schannel in the event viewer:

  • Creating an SSL server credential
  • Server credential has following properties....
  • An SSL server handshake completed successfully

The Microsoft HOWTO for doing this is pretty poor. It says all you need to do is install the certificates and reboot, then the DC will be listening on the ldaps port (tcp 686). In fact, a reboot is *not* required to get TLS working on the regular ldap port using start_tls as above, and even if you reboot the DC won't listen on port 686. I have trawled the net and can't find any other instructions for how to get ldaps listening.

I hate this windows black magic voodoo shit where debugging is practically impossible, error messages are completely uninformative, and rebooting is the cure for everything.

Update: If you need to update expired certificates, that does require a reboot. Deleting the old certs and restarting the certificate service doesn't cut it. To debug you can run a packet capture and look at the 'server hello' in wireshark; it parses the whole certificate so you can see what you are serving.

No comments: