CentOS 7.x 389-DS install SSL certificate

From Notes_Wiki
Revision as of 09:00, 27 January 2019 by Saurabh (talk | contribs)

<yambe:breadcrumb>CentOS_7.x_389DS|CentOS 7.x 389DS</yambe:breadcrumb>

CentOS 7.x 389-DS install SSL certificate

In CentOS 7.x latest 389-DS changing password requires connecting to 389-DS server over LDAPS. Hence SSL certificates must be installed. To install SSL certificate use following steps:

  1. Use command:
    ldapsearch -H ldap://localhost:389 -D 'cn=Directory Manager' -W -Z -b 'cn=encryption,cn=config' -x
    to see values of nsCertFile and nsKeyFile. If these attribute are not present (default) then certificates are at location /etc/dirsrv/slapd-<instance name>/
  2. Assuming certificates are at /etc/dirsrv/slapd-<instance name>/ go to the directory and use command:
    certutil -L -d .
    If there is output similar to:
    Certificate Nickname Trust Attributes
    SSL,S/MIME,JAR/XPI
    BH_LDAP_CA C,,
    Server-Cert u,u,u
    then certificates are installed otherwise not.
  3. Assuming certificates are not installed, create a certificate request using easyrsa using Easy-rsa article. Easyrsa is being used for certificate generation as certutil -R was giving error similar to:
    [root@barjatiyarklp slapd-389ds]# certutil -R -d ./ -o 389ds.example.com.req -a -g 4096 -v 24 -s "CN=389ds.example.com,O=RND,L=Hyderabad,ST=Telangana,C=IN" -8 "389ds.example.com,389ds"
    certutil: unable to generate key(s)
    : SEC_ERROR_IO: An I/O error occurred during security authorization.
    Note that the same command at same location seemed to work after waiting for some time. This weird error might solve automatically.
  4. Create pkcs12 certificate using:
    openssl pkcs12 -export -out 389ds.example.com.p12 -inkey pki/private/389ds.example.com.key -in pki/issued/389ds.example.com.crt -certfile pki/ca.crt
    There is no need to set password
  5. Import certificates using:
    certutil -A -n 389ds.example.com -i pki/issued/389ds.example.com.crt -t "TCu,Cu,Tuw" -d /etc/dirsrv/slapd-389ds/
    certutil -A -n ca -i pki/ca.crt -t "TCu,Cu,Tuw" -d /etc/dirsrv/slapd-389ds/
    pk12util -i 389ds.example.com.p12 -d /etc/dirsrv/slapd-389ds/
  6. Open 389-console. Go to Directory Server (389ds). Then go to Configuration Tab. Select "server FQDN:389". In the right pane in Encryption tab select Enable SSL and use this cipher family:RSA options. Click ok for most warnings/notices.
  7. Go to "Tasks" and use "Restart Directory Server" option

Note that under "Tasks" there is "Manage Certificates" which allows certificate management using GUI. It is not tried yet, but is most likely to be easier compared to command line process mentioned above.

Refer:

  1. http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
  2. http://stackoverflow.com/questions/27161403/how-to-setup-dart-to-use-a-ca-ssl-certificate/27176982#27176982
  3. http://serverfault.com/questions/647658/how-to-add-an-existing-key-to-the-certutil-key-database


<yambe:breadcrumb>CentOS_7.x_389DS|CentOS 7.x 389DS</yambe:breadcrumb>