Update OpenLDAP SSL certificate on CentOS 6

You may need to update your OpenLDAP SSL certificate, as well as the CA certificate and signing key on a regular basis. I ran into an issue that was ultimately resolved by doing that.

Connections to an OpenLDAP server I administer stopped working with this error:

The server itself was up and the relevant ports were accessible. In fact, unencrypted LDAP continued to work while LDAPS saw the error above.

I restarted slapd with -d 255 flag (-d 8 is sufficient for this error) and started seeing this error:

At the start of the log, I saw several related errors including this one:

Ultimately this meant that I had to replace not just my certificate but also the CA certificate and the signing key in OpenLDAP’s moznss database. I believe my CA’s certificate had to be replaced because of the SHA1 retirement last year.

The steps I had to follow were surprisingly involved and undocumented:

  • Upload the new certificates to /etc/openldap/ssl
  • cd /etc/openldap/certs
  • List the existing certificates in the database:

  • Remove the existing certs:

  • Load the new OpenLDAP SSL certificate and CA certificate:

  • Verify:

  • Convert the key to pkcs12 format:

  • Import the signing key:

  • Restart slapd:

I hope that’s enough to help anyone facing the same problem on CentOS, RHEL, Fedora, and possibly other distros.

See Also

Published by

Leons Petrazickis

I'm a full-stack developer at IBM Analytics Emerging Technologies. I do Ruby, JS, Python, Hadoop, Spark, as well as web scale devops with Chef and Docker. My opinions are my own.