Forest : site1.ru
Domain : site1.ru
Netbios domain : SITE1
DC name : dc1.site1.ru
DC netbios name : DC1
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
[root@dc1 tls]# openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
...............................................................................+++++
e is 65537 (0x010001)
[root@dc1 tls]# openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) []:City123 st.
Locality Name (eg, city) []:City123
Organization Name (eg, company) []:site1
Organizational Unit Name (eg, section) []:IT
Common Name (e.g., your name or your server's hostname) []:DC1.site1.ru
Email Address []:admin@site1.ru
[root@dc1 tls]# openssl genrsa -out dc1.site1.ru.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
..............................................................................................................................................+++++
e is 65537 (0x010001)
[root@dc1 tls]#
[root@dc1 tls]# openssl req -new -key dc1.site1.ru.key -out dc1.site1.ru.csr
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) []:City123 st.
Locality Name (eg, city) []:City123
Organization Name (eg, company) []:site1
Organizational Unit Name (eg, section) []:IT
Common Name (e.g., your name or your server's hostname) []:DC1.site1.ru
Email Address []:admin@site1.ru
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:site1.RU
[root@dc1 tls]# openssl x509 -req -in dc1.site1.ru.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out dc1.site1.ru.crt -days 5000
Signature ok
subject=C = RU, ST = City123 st., L = City123, O = site1, OU = IT, CN = DC1.site1.ru, emailAddress = admin@site1.ru
Getting CA Private Key
# TLS
tls enabled = yes
tls keyfile = tls/dc1.site1.ru.key
tls certfile = tls/dc1.site1.ru.crt
tls cafile = tls/rootCA.crt
[root@dc1 ~]# ldapsearch -d 1 -H ldaps://dc1.site1.ru:636
ldap_url_parse_ext(ldaps://dc1.site1.ru:636)
ldap_create
ldap_url_parse_ext(ldaps://dc1.site1.ru:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.site1.ru:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying fe80:::e9ae 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 0, err: 18, subject: /C=RU/ST=City123 st./L=City123/O=site1/OU=IT/CN=DC1.site1.ru/emailAddress=admin@site1.ru, issuer: /C=RU/ST=City123 st./L=City123/O=site1/OU=IT/CN=DC1.site1.ru/emailAddress=admin@site1.ru
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate).
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)
[root@dc1 ~]# ldapsearch -h site1.ru -W -x -D "Administrator@site1.ru" -Z -b dc=site1,dc=ru "(cn=Administrator)" dn sAMAccountName
ldap_start_tls: Connect error (-11)
additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)
[root@dc1 ~]#