LDAP expired SSL certificate

expiredldaprenewssl-certificatetls

The SLL certificate on the LDAP server expired recently, making it impossible to ssh into other Linux machines who relay strictly on LDAP.

Being a self-signed certificate, my understanding is that it cannot be renewed.

Knowing that I need to generate a new certificate, any ideas on how can that certificate be transferred on client machines when no remote authentication is possible because the old SSL is already expired?

Best Answer

You can retrieve the certificate on the client with

openssl s_client -CApath /etc/ssl/certs -verify 10 \
    -connect '<host>:<port>' 2>&1 < /dev/zero | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
    > foo.pem

foo.pem can then be put in the client's trust store.

I'd suggest using a certificate signed by a CA though, even if it is your own CA (easily managed with TinyCA).

The main advantage is that you can import the CA root certificate and don't have to worry about trusting host certificates anymore.

Related Solutions

Ssl – How to troubleshoot this SSL certificate error

I think that you need to restart IIS to reload the certificate keystore.

You can also check the remote certificate with:

openssl s_client -connect SMTPserver:port|openssl x509 -text

You can find openssl at http://www.openssl.org/related/binaries.html

Problems with self-signed SSL certificate for SSTP in Windows Server Foundation 2008

Here's the way I always recommend installing self-signed certificates for things like this:

On the client machine: Go to Start > Run... (if windows 7, Win + R) > type 'mmc' and hit Enter. When the MMC comes up, File > Add/Remove Snap In... and choose the 'Certificates' snap-in. It'll ask you for user, computer, etc... choose local Computer. When the snap-in loads, choose the Trusted Root folder, right click inside the list of certs, and choose Tasks > Import... and SPECIFY that the certificate be imported to the Trusted Root folder. Do not let it decide where to put it. Works fine for me.

If it still doesn't work, you may need to download and import the entire certificate chain from your internal CA.

Best Answer

Related Solutions

Ssl – How to troubleshoot this SSL certificate error

Problems with self-signed SSL certificate for SSTP in Windows Server Foundation 2008

Related Topic