Level: Junior Dive


Waters: DSEE 6.x

Dive tools:

  • DSEE 6.x
  • Solaris 10's certutil utility (depending on distro, can be found in /usr/sfw/bin)
  • A basic level of understanding of ssl
Time needed: 20-30 minutes


On this quick dive, we'll explorecreatinga new self-signed certificate using certutil to replace the defaultcert that is generated upon slapd instance creation.

You may have noticed from the last SSL walkthrough on this blog site that the default ssl certificate that DS uses is actually self-signed, so it is both a CA cert and a regular cert.

A clear indicator of this is that the default cert shows up both in the server ssl cert list /and/ in the CA cert list:
dsadm list-certs /app/slap1/
defaultCert 2008/05/21 14:29 2008/08/21 14:29 y CN=va64-x4600d-sca11,CN=0,CN=Directory Server,O=Sun Microsystems Same as issuer

dsadm list-certs -C /app/slap1/

defaultCert 2008/05/21 14:29 2008/08/21 14:29 n CN=va64-x4600d-sca11,CN=0,CN=Directory Server,O=Sun Microsystems Same as issuer

(also note that above the 'Issued To' field value is 'Same as issuer.' This is another indicator that it is a self-signed cert.)

Although you can renew that self-signed cert via the standard cli, there is no option at this time for duration of validity.

Therefore you might want to have an external CA generate the self-signed cert and then install that into DS.

This is a simple walkthrough of that procedure.

Before we begin, let's take a quite look at the dive chart. Here's what we're going to do:

1) Create the self-signed cert in an external CA
2) Export the cert and keys from the external CA for import into LDAP
3) Import the self-signed cert and keys into DS
4) Set the server to use the new self-signed cert for ssl transactions with clients
5) Test

===

Let's begin the dive!

1) Create the self-signed cert in an external CA

Here we use certutil to generate the self-signed cert. Please consult your security department for the best approach on generating self-signed certificates and for key transport (as outlined later in this procedure). Always protect the CA key store to the best of your ability, following your company's PKI guidelines.

WARNING: Note this is not added to the DSEE's trust db directly - *never* manupulate DSEE's db directly with certutil, always utilize the cmd line interfaces dsadm and dsconf to do so.

mkdir /opt/CA
certutil -N -d /opt/CA

Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:

certutil -S -x -n "mynewca" -s "cn=v6m3.test.local,ou=premplus,o=Sun,l=Los Angeles,st=CA,c=US" -t "CTu,CTu,CTu" -v 3600 -d /opt/CA

WARNING: 3600 months is 300 years so please don't use that as a real value. The longer the duration, the greater risk of key compromise

Enter Password or Pin for "NSS Certificate DB":

A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************* ***********|

Finished. Press enter to continue:


Generating key. This may take a few moments...

===
Check the new CA cert
===

certutil -L -n mynewca -d /opt/CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:8d:bc:21:a2
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: "CN=v6m3.test.local,OU=premplus,O=Sun,L=Los Angeles,ST=CA,C=U
S"
Validity:
Not Before: Sat Jul 04 13:14:30 2009
Not After : Thu Jun 28 13:14:30 2309
Subject: "CN=v6m3.test.local,OU=premplus,O=Sun,L=Los Angeles,ST=CA,C=
US"



===

2) Export the cert and keys for import into LDAP
===

pk12util -o /opt/tmp/myca.p12 -n mynewca -d /opt/CA
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

===
3) Import the self-signed cert and key into DS
===

dsadm import-selfsign-cert /opt/slap1 /opt/tmp/myca.p12
Enter the PKCS#12 file password:
The Directory Server will need to be restarted before being able to use the new certificate.


dsadm start /opt/slap1
Directory Server instance '/opt/slap1' started: pid=7973

Now the regular cert db and the CA cert db both show the new self-signed cert:

dsadm list-certs -C /opt/slap1

defaultCert 2009/07/04 06:31 2009/10/04 06:31 n CN=v6m3,CN=6361,CN=Directory Server,O=Sun Microsystems Same as issuer
mynewca 2009/07/04 06:14 2309/06/28 05:14 n CN=v6m3.test.local,OU=premplus,O=Sun,L=Los Angeles,ST=CA,C=US Same as issuer
116 certificate(s) found


dsadm list-certs /opt/slap1
Alias Valid from Expires on Self-signed? Issued by Issued to

defaultCert 2009/07/04 06:31 2009/10/04 06:31 y CN=v6m3,CN=6361,CN=Directory Server,O=Sun Microsystems Same as issuer
mynewca 2009/07/04 06:14 2309/06/28 05:14 y CN=v6m3.test.local,OU=premplus,O=Sun,L=Los Angeles,ST=CA,C=US Same as issuer
2 certificate(s) found

===
4) Set the server to use the new self-signed cert for ssl transactions with clients
===

dsconf set-server-prop -i -w /pass -p 3891 ssl-rsa-cert-name:mynewca
Directory Server must be restarted for changes to take effect.

dsadm restart /opt/slap1
Directory Server instance '/opt/slap1' stopped
Directory Server instance '/opt/slap1' started: pid=7998

===
5) Test
===

Now an ssl search works fine:
ldapsearch -D "cn=directory manager" -w dirmanager -h v6m3.test.local -p 6361 -Z -P /opt/CA -b "dc=foo,dc=com" objectclass=*
version: 1
dn: dc=foo,dc=com
dc: foo
objectClass: top
objectClass: domain


===CLEANUP===
Cleaning up old cert: (not strictly necessary, this is done here just to show that the new cert is operational)

dsadm stop /opt/slap1
Directory Server instance '/opt/slap1' stopped

dsadm remove-cert /opt/slap1 defaultCert


dsadm start /opt/slap1
Directory Server instance '/opt/slap1' started: pid=8027

ssl still works:
ldapsearch -D "cn=directory manager" -w dirmanager -h v6m3.test.local -p 6361 -Z -P /opt/CA -b "dc=foo,dc=com" objectclass=*
version: 1
dn: dc=foo,dc=com
dc: foo
objectClass: top
objectClass: domain

The list of certs now contains only the new self-signed one:


dsadm list-certs /opt/slap1


Alias Valid from Expires on Self-signed? Issued by Issued to

mynewca 2009/07/04 06:14 2309/06/28 05:14 y CN=v6m3.test.local,OU=premplus,O=Sun,L=Los Angeles,ST=CA,C=US Same as issuer

That's the dive, you are now rated for installing self-signed certificates. Hope you enjoyed the dive and as always, we welcome your feedback!




More...