through the Command Line

The -wargument is the password used to encrypt the .p12 file for transport. The -kargument specifies the password for the key database containing the server certificate being exported to .p12.

10.If the Directory Server will run with TLS/SSL enabled, then create a password file (pin.txt) for the server to use so it will not prompt you for a password every time it restarts. Creating the password file is described in Section 4.3, “Creating a Password File for the Directory Server”.

The certificates created by certutil are automatically available in the Encryption tab of the Console. There is no need to import them because they are already in the certificate database.

3.2. certutil Usage

certutil can be used for a variety of tasks to manage certificates and keys, such as generating certificate requests and removing certificates from the certificate database. Some of the most common options are listed in Table 11.1, “certutil Options”. For the full list of commands and arguments, run certutil -Hfrom the command line.

Options

Description

 

 

certutil -L -d .

Lists the certificates in the database.

 

 

certutil -L -d . -n "cert_name"

"Pretty prints" the specified certificate; the

 

cert_name can specify either a CA certificate

 

or a client certificate.

 

 

certutil -L -d . -n "cert_name" > certfile.asc

Exports the specified certificate out of the

 

database to ASCII (PEM) format.

 

 

certutil -L -d . -n "cert_name" -r > certfile.bin

Exports the specified certificate out of the

 

database to binary format; this can be used

 

with Directory Server attributes such as

 

userCertificate;binary.

 

 

Table 11.1. certutil Options

4. Starting the Server with TLS/SSL Enabled

Most of the time, the server should run with TLS/SSL enabled. If TLS/SSL is temporarily disabled, re-enable it before processing transactions that require confidentiality, authentication, or data integrity.

Before TLS/SSL can be activated, first create a certificate database, obtain and install a server certificate, and trust the CA's certificate, as described inSection 2, “Obtaining and Installing Server Certificates”.

With TLS/SSL enabled, when the server restarts, it prompts for the PIN or password to unlock

405

Page 425
Image 425
HP UX Red Hat Direry Server Software manual Starting the Server with TLS/SSL Enabled, Certutil Usage, Certutil Options