Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BZ1212001: draft content #1543

Merged
merged 4 commits into from
Jul 12, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 36 additions & 35 deletions xml/security_ldap_ca.xml
Original file line number Diff line number Diff line change
Expand Up @@ -34,56 +34,57 @@
certificate, and a root certificate.
</para>
<procedure>
<para>
Before you can import an existing private key and certificate into the NSS
database, you need to create a bundle of the private key and the server
certificate. This results in a <filename>*.p12</filename>
file.
</para>
<important>
<title><filename>*.p12</filename> file and friendly name</title>
<para>
When creating the PKCS12 bundle, you must encode <literal>Server-Cert</literal>
as the friendly name in the <filename>*.p12</filename> file.
Otherwise the TLS connection will fail, because the &ds389; searches for
this exact string.
</para>
<para>
The friendly name cannot be changed after you
import the <filename>*.p12</filename> file into the NSS
database.
The Mozilla NSS (Network Security Services ) toolkit uses nicknames for certificates in the certificate store.
The server certificate uses the nickname <emphasis>Server-Cert</emphasis>.
</para>
</important>
</important>
<step>
<para>
Use the following command to create the PKCS12 bundle with the required friendly name:
Use the following commands to remove the Self-Signed-CA and Server-Cert from the instance:
</para>
<screen>&prompt.sudo;<command>openssl pkcs12 -export -in <replaceable>SERVER.crt</replaceable></command> \
<command>-inkey <replaceable>SERVER.key</replaceable></command> \
<command>-out <replaceable>SERVER.p12</replaceable> -name Server-Cert</command></screen>
<screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Self-Signed-CA</command>
&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Server-Cert
</command>
</screen>

<para>
Replace <replaceable>SERVER.crt</replaceable> with the server certificate
and <replaceable>SERVER.key</replaceable> with the private key to be bundled.
Use <option>-out</option> to specify the name of the <filename>*.p12</filename>
file. Use <option>-name</option> to set the friendly name, which must be
<literal>Server-Cert</literal>.
Replace <replaceable>INSTANCE_NAME</replaceable> with the instance name of the directory server.
This is LDAP1 in the previous sections.
</para>
</step>
<step>
<para>
Before you can import the file into the NSS database, you need to
obtain its password. The password is stored in the
<filename>pwdfile.txt</filename> file in the
<filename>/etc/dirsrv/slapd-<replaceable>INSTANCE-NAME/</replaceable></filename> directory.
Import the CA that has signed your certificate.
</para>
<screen>&prompt.sudo;<command>sudo dsctl <replaceable>INSTANCE_NAME</replaceable> tls import-ca
/path/to/CA/in/PEM/format/CA.pem <replaceable>NICKNAME_FOR_CA</replaceable>
</command>
</screen>
<para>Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.
Replace <literal>/path/to/CA/in/PEM/format/CA.pem</literal> with the full path to the CA certificate file in the PEM format.
Replace <literal>NICKNAME_FOR_CA </literal> with a nickname for the CA. </para>
</step>
<step>
<para>
Now import the <replaceable>SERVER.p12</replaceable> file
into your &ds389a; NSS database:
Import the server certificate and the key for the certificate.
</para>
<screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Self-Signed-CA</command>
&prompt.sudo;<command>pk12util -i <replaceable>SERVER.p12</replaceable> -d /etc/dirsrv/slapd-<replaceable>INSTANCE-NAME</replaceable>/cert9.db</command></screen>
</step>
<screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls import-server-key-cert
<replaceable>/path/to/SERVER.pem</replaceable> <replaceable>/path/to/SERVER.key</replaceable></command>
</screen>
<para> Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.
Replace <literal>/path/to/SERVER.pem</literal> with the full path to the server certificate in PEM format.
Replace <literal>/path/to/SERVER.key</literal> with the full path to the server certificate key file in the PEM format.
</para>
</step>
<step>
<para>
Restart the instance so that the new certificates are used.
</para>
<screen>&prompt.sudo;<command>systemctl restart dirsrv@<replaceable>INSTANCE-NAME.</replaceable>.service
</command> </screen>
<para>Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.</para>
</step>
</procedure>
</sect1>