Self-signed certificates for TLS/SSL and LDAP

Instructions to generate a self-signed certificate.

# openssl genrsa -out ca.key 2048
# openssl req -new -x509 -days 36500 -key ca.key -out ca.cert

# openssl genrsa -out ldap.key 2048
# openssl req -new -key ldap.key -out ldap.csr
# openssl x509 -req -days 36500 -in ldap.csr -CA ca.cert -CAkey ca.key -set_serial 01 -out ldap.cert

If you need one certificate to support multiple LDAP servers for failover, you need to edit /etc/ssl/openssl.cnf as per these instructions:

req_extensions = v3_req

subjectAltName = @alt_names
DNS.1 =
DNS.2 =

Check what's in the files using

# openssl rsa -noout -text -in ca.key
# openssl x509 -noout -text -in ca.cert
# openssl rsa -noout -text -in ldap.key
# openssl req -noout -text -in ldap.csr
# openssl x509 -noout -text -in ldap.cert