Symas OpenLDAP Knowledge Base

Basic Security Certificate Setup

Basic certificate authority and security certificate creation with built-in OpenSSL CA tools.



Certificate Authority

A certificate authority is an entity that issues digital security certificates.

Public Key/Certificate


Private Key/Certificate





WORKING WITH openssl.cnf

The openssl.cnf file provides configuration information to the openssl utility.  On a new Symas OpenLDAP installation, the file is named /opt/symas/ssl/openssl.cnf.default.  The file must be renamed or copied to a file named /opt/symas/ssl/openssl.cnf. 

The configuration contains default paths and filenames, the length of time a certificate is valid, what hashing algorithm to use for the certificate and the default values for certificate information like organization, organizational unit, country name, etc. and many other settings.  When creating a CA for issuing self-signed certificates, most information in openssl.cnf should remain as-is.  There are some items where default values may be added or changed and makes it easier to keep certificate information more consistent:

Item Description
default_days The default_days variable sets the number of days that a certificate is valid.  The default is 365 and can be adjusted upward or downward to suit your needs.
countryName* The name of the country where the certificate is used or issued.
stateOrProvinceName* The name of the state or province where the certificate is used or issued.
localityName* The name of the city where the certificate is used or issued.
0.organizationName* The name of the company or organization that the certificate is for.
organizationalUnitName* The name of the organizational unit that the certificate is for.
commonName** While the description for the commonName says “(eg. YOUR name)” it is best to use the fully qualified host names.  When creating the CA, use the fully qualified host name of the machine that the CA is being created on.  When creating server and client certificates, use the fully qualified host name for the host that the certificate is going to be installed on.
emailAddress* An email address, usually for the user or group that will be the administrator for the CA.

* Item may have a default value set by adding a new line that starts with the item name appended with “_default” and then the desired value.

TODO - sample openssl.cnf file and link
Example openssl.cnf file link. [Greg Noe](


First you’ll need to run the script to make sure all directories are created.

Initialize OpenSSL

/opt/symas/ssl> ../bin/

Next, make a new CA request.

Create CA

/opt/symas/ssl> ../bin/ -newca

Respond to all the prompts.  If you have set defaults for fields in openssl.cnf and see the value in brackets at the prompt, press enter to accept it or enter a new value to override it.  Make sure to back up the passphrase you create.  Please note that the challengePassword and unstructuredName fields are optional.

Your CA is now set up and the CA public key is saved to /opt/symas/ssl/cacert.pem.



Create Certificate Request

/opt/symas/ssl> ../bin/ -newreq -nodes



Sign a Certificate

/opt/symas/ssl> ../bin/ -signreq