Creating Directory Server Certificates through the Command Line
351
5. Create the key and certificate databases databases.
certutil -N -d . -f /tmp/pwdfile
6. Generate the self-signed CA certificate.
certutil
creates the required key pairs and the
certificate. This certificate is used to generate the other server certificates and can be exported for
use with other servers and clients.
certutil -S -n "CA certificate" -s "cn=CA cert, dc=example,dc=com" -x -t "CT,," -2 -m 1000
-v 120 -d . -k rsa -g 1024 -f /tmp/pwdfile
7. Generate the Directory Server client certificate.
certutil -S -n "Server-Cert" -s "cn=
FQDN
" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -
d . -k rsa -g 1024 -f /tmp/pwdfile
The value of the
-s
argument is very important. The leftmost RDN must be
cn=
FQDN
(where
FQDN
is the fully-qualified host and domain name of the Directory Server). For example,
to issue a certificate for a server with the name
ldap.example.com
, specifiy at least
-s
"cn=ldap.example.com"
; it is beneficial to have a more descriptive name to help with server
identification, such as
"cn=ldap.example.com, ou=DS1"
. The FQDN must be available
for DNS and reverse DNS lookups to Directory Server clients because certificate validation
may fail if the clients cannot properly resolve the FQDN, and some clients refuse to connect
if a server certificate does not have its FQDN in the subject. Additionally, using the format
cn=
hostname.domain
is essential for Directory Server clients to protect themselves from man in
the middle attacks.
NOTE
There should only be one
cn
in a certificate subject name. To add detail to the subject
name, use
cn
as the RDN and another attribute — like
ou
,
l
, or
c
— for the other
subject name elements.
To provide a subjectAltName, as well as the nickname, use the
-8
argument in addition to the
-s
argument.
To use the Directory Server behind a DNS round robin or any other scheme which aliases a
single server certificate to multiple hostnames, see the TLS/SSL information about server name
wildcards or subjectAltName.
Server certificates for other servers are created using a similar command as for the Directory
Server certificate. Make sure that every
-n
option (nickname) and
-m
option (serial number) is
unique for every certificate, and make sure that the
-s
option gives the correct FQDN for the
server.
NOTE
Keep careful track on the numbers set with the
-m
option. The
-m
option sets the
unique identifier for the server certificate, and a CA cannot issue two certificates
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...