[phpwiki]
Taking the time to read up on the GridShib CA and MyProxy CA was very useful. They and phpki ultimately all are backened by an openssl configuration so in a sense are compatible with each other. The decision to use one over the other seems to mainly be about where one stores a cert and how one can retreive it. The GridShib CA has a great way of creating certs that are truely private (client-based key) so I'm guessing there is not a key store in GridShib CA. MyProxy CA would seem to have a keystore since it's backended by Simple CA. This makes it like phpki except that the interface is command-line versus web.
openssl
Integrating PHPki, GridShib CA, and MyProxy CA
Submitted by jpr on Wed, 08/09/2006 - 22:20. CA | grid | storage | openssl | phpki | shibbolethweblogin officially using LDAP over SSL
Submitted by jpr on Wed, 08/09/2006 - 22:11. faq | ldap | weblogin | openssl | pubcookie[phpwiki]
weblogin.ac.uab.edu is now using ldaps to access the LDAP service for authentication. Serveral problems existed which had prevented this from working. The default libldap2 binary on debian woody 2.4 is not built with tls enabled. This was the main problem. The fix was to rebuild the openssl source package on the debian build box:
apt-get source libldap2
cd openldap-2.0.23
dpkg-buildpackage -uc -b
and then install resluting libldap2.deb file on weblogin
dpkg -i libldap2-2.0.23.deb
The next step is to tell libldap where to find the trust definition for the UAB ldap SSL interface. This requires the Equifax root. Put that in /usr/lib/ssl/cert/ca-bundle.crt. The location is defined in /etc/ldap/ldap.conf with the values TLS_CACERT (for the bundle file) and TLS_CACERT_DIR (for the hash based files). While I prefer the later only the TLS_CACERT file option seemed to work.
