Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

Generating an SSL Client Certificate

In order to use SSL, you also have to create an SSL-LDAP client certificate that can be used by ldapsearch.


To complete this step you must have access to the certutil tool. You can download this tool from the Mozilla software or the NetscapeTM software website at: http://www.mozilla.org/projects/security/pki/nss/tools/ or http://developer.netscape.com/software/tools/pkcs/up106.html

To Generate an SSL Client Certificate

For use with the command line tools like ldapsearch, ldapadd, etc., follow these steps:

  1. Generate a Netscape browser certificate.

    1. Point the browser at the Sun ONE Certificate Server software URL.

    2. In this example case this is https://sunshine.init8.net:443.

    3. Provide all necessary information.

      Full Name: LDAP Client
      User ID: steffo 
      Email Address: steffo@init8.net
      Organization Unit: People
      Organization: init8.net

      Your browser should support the KEYGEN tag. This tag enables the browser to generate a keypair and send the public part to the Sun ONE Certificate Server software. The Sun ONE Certificate Server software then signs the key together with the additional information you provided.

      When you have successfully applied for the certificate, Sun ONE Certificate Server software gives you a request ID under which your request is being processed. If your request has been approved by the CS Administrator, you have to import the certificate into your browser.

  2. Point your browser to http://sunshine.init8.net and click Retrieval.

  3. Enter the request ID.

    The signed certificate is presented to you.

  4. Scroll down the page and click Import your certificate.

    You now have a new private key, stored in ~/.netscape/key.db and a new certificate, stored in ~/.netscape/cert7.db.

  5. From the Netscape browser check (Communicator—Tools—Security Info—Certificates—Yours) to verify that this procedure was successful.

    A certificate called LDAP Client's iNIT8 ID should be present. Alternatively, you can use the certutil:

    bash-2.03# ./certutil -L -d /.netscape | grep LDAP
    LDAP Client's iNIT8 ID       u,u,u
    bash-2.03# ./certutil -L -d /.netscape -n "LDAP Client's iNIT8 ID"
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: CN=iNIT8 Certificate Manager, OU=CERT,
        O=iNIT8, L=Hamburg, ST=HAMBURG, C=DE 
  6. Extract the certificate, stored in ~/.netscape/cert7.db to use with ldapsearch, ldapadd, etc. by using the program certutil from the PKCS#11 toolkit.

    bash-2.03# ./certutil -L -d /.netscape -n "LDAP Client's iNIT 8 ID" -r > 
  • + Share This
  • 🔖 Save To Your Account