- Setting Up the Directory Server and the Certificate Server
- Generating an SSL Server Certificate
- Generating an SSL Client Certificate
- Setting Up the Appropriate Trust Relations
- Enabling SSL for the Sun ONE Directory Server Software
- Setting Up LDAP/SSL Server Authentication
- Setting Up LDAP/SSL Client Authentication
- Successful and Secure Installation
Generating an SSL Client Certificate
In order to use SSL, you also have to create an SSL-LDAP client certificate that can be used by ldapsearch.
To complete this step you must have access to the certutil tool. You can download this tool from the Mozilla software or the NetscapeTM software website at: http://www.mozilla.org/projects/security/pki/nss/tools/ or http://developer.netscape.com/software/tools/pkcs/up106.html
To Generate an SSL Client Certificate
For use with the command line tools like ldapsearch, ldapadd, etc., follow these steps:
Generate a Netscape browser certificate.
Point the browser at the Sun ONE Certificate Server software URL.
Provide all necessary information.
Full Name: LDAP Client User ID: steffo Email Address: firstname.lastname@example.org Organization Unit: People Organization: init8.net
Your browser should support the KEYGEN tag. This tag enables the browser to generate a keypair and send the public part to the Sun ONE Certificate Server software. The Sun ONE Certificate Server software then signs the key together with the additional information you provided.
When you have successfully applied for the certificate, Sun ONE Certificate Server software gives you a request ID under which your request is being processed. If your request has been approved by the CS Administrator, you have to import the certificate into your browser.
In this example case this is https://sunshine.init8.net:443.
Point your browser to http://sunshine.init8.net and click Retrieval.
Enter the request ID.
The signed certificate is presented to you.
Scroll down the page and click Import your certificate.
You now have a new private key, stored in ~/.netscape/key.db and a new certificate, stored in ~/.netscape/cert7.db.
From the Netscape browser check (Communicator—Tools—Security Info—Certificates—Yours) to verify that this procedure was successful.
A certificate called LDAP Client's iNIT8 ID should be present. Alternatively, you can use the certutil:
bash-2.03# ./certutil -L -d /.netscape | grep LDAP LDAP Client's iNIT8 ID u,u,u bash-2.03# ./certutil -L -d /.netscape -n "LDAP Client's iNIT8 ID" Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: CN=iNIT8 Certificate Manager, OU=CERT, O=iNIT8, L=Hamburg, ST=HAMBURG, C=DE "("...)
Extract the certificate, stored in ~/.netscape/cert7.db to use with ldapsearch, ldapadd, etc. by using the program certutil from the PKCS#11 toolkit.
bash-2.03# ./certutil -L -d /.netscape -n "LDAP Client's iNIT 8 ID" -r > ~/certs/ldap-client.bin