In this article, we are assuming you have OpenSSL installed. You will first generate a CA certificate and then server certificates for each OpenLDAP server in your environment.

What Is SSL?

Secure Sockets Layer (SSL) is a communication protocol that encrypts data sent between devices or applications on a network. It's a standard technology that prevents hackers from stealing or seeing data transferred between a website and a browser, or between two servers. SSL provides privacy, authentication, and integrity to internet communications.

CA Server

1) Generate CA Key: 

openssl genrsa -des3 -out ca.key 4096

2) Generate CA PEM file: 

openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

Note: Subject should be organization name CA, like "Example_Company CA Certificate"

For Each Server

3) Generate server key and signing request. Do not set a password: 

openssl req -new -nodes -out slapd.csr -keyout slapd.key -newkey rsa:4096

Note: subject should be the full hostname (i.e., server.domain.com) 

4) Sign the server certificate request with the server: 

openssl ca -out slapd.crt -notext -days 3650 -in slapd.csr -keyfile ca.key -extensions v3_req -cert ca.crt

Depending on the OpenSSL configuration file, you may need to create an index.txt file in the location it creates an error about, and a serial file. 

The serial file should be initialized with a value of “00.” 

touch /opt/symas/ssl/ca/demoCA/index.txt

echo 00 >/opt/symas/ssl/ca/demoCA/serial

5) On the server, make sure the permissions are set properly. Example: 

chown ldap:ldap slapd.key slapd.crt