So now I know this certificate is blessed by my client, I can try to use it to connect. But let’s say I try to use a self-signed certificate or another cert that’s not trusted… And using a self-signed certificate, you should see something like this… If it’s a trust issue, perhaps the certificate is valid, but it just can’t find the CA or intermediate certificate… But, if everythings working correctly, your client should connect just fine. And it will look something like this, with a big fat Verify return code: 0 (ok) at the end.

If you submit an SSL certificate request for your Apache/Lighttpd web server to a Certificate Authority (CA) on a Windows Domain Controller, you might have to convert your resulting binary DER formatted Security Certificate into PEM so Apache or Lighttpd can understand it.

I read in a bunch of places that you can’t use HTTP["scheme"] to redirect http:80 traffic to https:443 without using 2-3 levels of nesting with socket and host. But that’s just not true. The only reason it doesn’t work at first is because http is a subset of https, so be more specific with http$ and it works with just one line in lighttpd.conf.

Now edit the lighttpd.conf configuration file to enable ssl. Use the public facing interface’s IP address instead of mine, unless yours happens to be 192.168.1.2 too! And nmap or netstat will let you know it’s listening on port 443

Enabling LDAP authentication should take you about 2 minutes, unless you type with just 2 fingers. Then maybe 3 or 4. …If you don’t allow anonymous connections to your ldap, give it a user/password combination that has enough privs to do the lookups, or just use your master account if you’re just testing or don’t really care. … Now tell it what parts of your webserver you want to protect and how. You can specify any string you’d like for the realm. Here I require an LDAP user account name and password just to get to the wiki main page, and only admin can see the server-config page… Restart lighttpd and you’re done.

Yes, I know this is ancient stuff, but I have no choice but to mess with it right now.  Old ultrasparc garbage, weeee!  So here goes the installation of some ‘modern day’ packages so I can work with this old box.  (It hasn’t been touched since 2002, ouch)
First you’ll need …

This doesn’t have to be complicated at all.  This was what I did on my ldap servers:
[user@ldap-primary /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-primary.pem -keyout ldap-primary.pem -days 3650
[user@ldap-slave1 /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-slave1.pem -keyout ldap-slave1.pem -days 3650
That’s it!  No messing …