Using an IP address in the
ldap_uri option (in the
/etc/sssd/sssd.conf file) instead of the server name can cause the TLS/SSL connection to fail, because TLS/SSL certificates contain the server name, not the IP address. However, you can use the subject alternative name field in the certificate to include the IP address of the server, which enables a successful secure connection using an IP address.
Convert an existing certificate into a certificate request. The certificate signing request (CSR) must be signed with the private key of the LDAP server for which the certificate was issued; using the
-signkeyoption, pass the PEM file that contains the private key.
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
/etc/pki/tls/openssl.cnfconfiguration file to include the server's IP address under the
[ v3_ca ]section:
subjectAltName = IP:192.0.2.1
Use the generated CSR to generate a new certificate with the specified IP address.
To generate a self-signed certificate, use the `-signkey` option to sign the certificate with the PEM file containing the old LDAP server certificate and the corresponding private key:
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
To generate a certificate signed by a certificate authority (CA), use the `-signkey` option to sign the certificate with a PEM file containing the CA private key:
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey key.pem
The `-extensions` option sets which extensions to use with the certificate. For this, it should be `v3_ca` to load the appropriate section.
Copy the private key block from the
old_cert.pemfile into the
new_cert.pemfile to keep all relevant information in one file.
When creating a certificate through the certutil utility provided by the nss-util package, note that certutil supports DNS subject alternative names as well as IP address subject alternative names for certificate creation.