Using certutil
426
Red Hat Directory Server Administrator’s Guide • May 2005
3.
Create a password file for the security token password.
vi /tmp/pwdfile
secretpw
This password locks the server's private key in the key database and is used
when the keys and certificates are first created. The password in this file is
also the default password to encrypt PK12 files used by
pk12util
. Because
this password is stored in plaintext, the password file should be owned by the
user as which Directory Server runs, by default
nobody
, and it must be set as
read-only for the Directory Server user and allow no access to anyone else
(mode
0400
). It's a good idea to have a secure backup of this file.
4.
Set the environment variable for the shell to include the
certutil
directory
path. For example:
export PATH=
serverRoot
/shared/bin/:$PATH
The command varies depending on the shell.
5.
Create the key and certificate databases databases.
certutil -N -d . -f /tmp/pwdfile -P slapd-
instance_name
-
6.
Generate the self-signed CA certificate.
certutil
creates the required key
pairs and the certificate. This certificate is used to generate the other server
certificates and can be exported for use with other servers and clients.
certutil -S -n "CA certificate" -s "cn=My Org CA cert,
dc=example,dc=com" -x -t "CT,," -2 -m 1000 -v 120 -d . -k rsa -g
1024 -f /tmp/pwdfile -P slapd-
instance_name
-
7.
Generate the Directory Server client certificate.
certutil -S -n "Server-Cert" -s "cn=
FQDN
,cn=Directory Server"
-c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -g 1024
-f /tmp/pwdfile -P slapd-
instance_name
-
The value of the
-s
argument is very important. The leftmost RDN must be
cn=
FQDN
(where
FQDN
is the fully-qualified host and domain name of the
Directory Server). For example, to issue a certificate for a server with the
name
ldap.example.com
, specifiy at least
-s "cn=ldap.example.com"
; it is
beneficial to have a more descriptive name to help with server identification,
such as
"cn=ldap.example.com, ou=DS1"
. The
FQDN
must be available for
DNS and reverse DNS lookups to Directory Server clients because certificate
Summary of Contents for DIRECTORY SERVER 7.1
Page 1: ...Administrator s Guide Red Hat Directory Server Version7 1 May 2005 Updated February 2009 ...
Page 20: ...20 Red Hat Directory Server Administrator s Guide May 2005 Glossary 619 Index 635 ...
Page 22: ...22 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 26: ...26 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 78: ...Maintaining Referential Integrity 78 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 200: ...Assigning Class of Service 200 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 488: ...488 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 528: ...PTA Plug in Syntax Examples 528 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 572: ...572 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 612: ...Examples of LDAP URLs 612 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 634: ...634 Red Hat Directory Server Administrator s Guide May 2005 ...