20090426

Directory Server SSL Certificate

Recently, I've added the article about SSL configuration of Sun Java Commmunications Suite components (link).
Today I want to expand its content with Directory Server SSL preparation.

DS comes with self-signed certificate (it's valid for a period of three months). It name's defaultCert, and by defalt allow for secure connections through the port 636.
It's stored in alias directory under the instance path:

book [/]# ls /instances/ds1/alias
certmap.conf secmod.db slapd-cert8.db slapd-key3.db


book [/instances/ds1/alias]# dsconf get-server-prop -D cn=dirmgr ssl-rsa-cert-name
Enter "cn=dirmgr" password:
ssl-rsa-cert-name : defaultCert

book [/]# /opt/SUNWdsee/ds6/bin/dsadm list-certs /instances/ds1/
Alias Valid from Expires on Self-signed? Issued by Issued to
----------- ---------------- ---------------- ------------ ----------------------------------------------------- --------------
defaultCert 2009/03/18 12:28 2009/06/18 12:28 y CN=book,CN=636,CN=Directory Server,O=Sun Microsystems Same as issuer
1 certificate(s) found

book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert CTu,u,u


But, I want to use the same one as with other COMMS components - Server-Cert - issued by CA.

book [/instances/ds1/alias]# dsadm import-cert /instances/ds1/ /root/SSL/VeriSign.cert.pkcs12
Enter the PKCS#12 file password:
The Directory Server will need to be restarted before being able to use the new certificate.
book [/instances/ds1/alias]# dsadm stop /instances/ds1
Directory Server instance '/instances/ds1' stopped
book [/instances/ds1/alias]# dsadm start /instances/ds1
Directory Server instance '/instances/ds1' started: pid=25150
book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert CTu,u,u
Server-Cert u,u,u

Now i have to change default rsa certificate name, within the DS configuration:

book [~]# dsconf set-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name:Server-Cert
Enter "cn=dirmgr" password:
Before setting SSL configuration, export Directory Server data.
Do you want to continue [y/n] ? y
Directory Server must be restarted for changes to take effect.

Restart DS one more time.

That's all folks.

book [~]# dsconf get-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name
Certificate "CN=[...]" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=dirmgr" password:
ssl-rsa-cert-name : Server-Cert

2 comments:

anu said...

Thanks for this article. This article extends to provide added information about a Directive server's authenticity. I bought the SSL certificate from the tucktail.

Julie said...

Thanks for the post Marcin. I have been setting up my own retail website and needed help with SSL encryption. I got in contact with a website called SSL 247 who helped create ssl certificate for my site, which is important for customer protection.