Chapter 11. Managing SSL

"cn=ldap.example.com"; it is beneficial to have a more descriptive name to help with server identification, such as "cn=ldap.example.com, ou=DS1". The FQDN must be available for DNS and reverse DNS lookups to Directory Server clients because certificate validation may fail if the clients cannot properly resolve the FQDN, and some clients refuse to connect if a server certificate does not have its FQDN in the subject. Additionally, using the format cn=hostname.domain is essential for Directory Server clients to protect themselves from man in the middle attacks.

To provide a subjectAltName, as well as the nickname, use the -8argument in addition to the -sargument.

To use the Directory Server behind a DNS round robin or any other scheme which aliases a single server certificate to multiple hostnames, see the TLS/SSL information about server name wildcards or subjectAltName.

Server certificates for other servers are created using a similar command as for the Directory Server certificate. Make sure that every -noption (nickname) and -moption (serial number) is unique for every certificate, and make sure that the -soption gives the correct FQDN for the server.

NOTE

Keep careful track on the numbers set with the -moption. The -moption sets the unique identifier for the server certificate, and a CA cannot issue two certificates with the same ID. Keep a log of issued serial numbers so that no number is ever duplicated.

8.Export the CA certificate for use with other servers and clients. A client usually requires the CA certificate to validate the server certificate in an TLS/SSL connection. Use certutil to export the CA certificate in ASCII/PEM format:

certutil -d . -L -n "CA certificate" -a > cacert.asc

The way that the CA certificate is imported is different for every client. For example, certutil can import a CA certificate into another Directory Server certificiate database:

cd /etc/dirsrv/slapd-otherserver

certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc

9.Use pk12util to export other server certificates and keys created with certutil so that they can be used on a remote server.

pk12util -d . -o ldap1.p12 -n Server-Cert1 -w /tmp/pwdfile -k /tmp/pwdfile

404

Page 424
Image 424
HP UX Red Hat Direry Server Software manual 404