Instructions to generate a self-signed certificate.
# openssl genrsa -out ca.key 2048 # openssl req -new -x509 -days 36500 -key ca.key -out ca.cert # openssl genrsa -out ldap.key 2048 # openssl req -new -key ldap.key -out ldap.csr # openssl x509 -req -days 36500 -in ldap.csr -CA ca.cert -CAkey ca.key -set_serial 01 -out ldap.cert
If you need one certificate to support multiple LDAP servers for failover, you need to edit /etc/ssl/openssl.cnf as per these instructions:
[req] req_extensions = v3_req [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = www.foo.com DNS.2 = www.foo.org
Check what's in the files using
# openssl rsa -noout -text -in ca.key # openssl x509 -noout -text -in ca.cert # openssl rsa -noout -text -in ldap.key # openssl req -noout -text -in ldap.csr # openssl x509 -noout -text -in ldap.cert