Wednesday, 9 November 2011

install CA-signed server certificate

You will need to do the following so that the server starts without prompting for a password


#vim /etc/dirsrv/slapd-ds1/pin.txt
Internal (Software) Token:PASSWORD

#chmod 400 /etc/dirsrv/slapd-ds1/pin.txt

#chown nobody:nobody  /etc/dirsrv/slapd-ds1/pin.txt

for the admin server do the following

#vim /etc/dirsrv/admin-serv/password.conf
internal:PASSWORD

#chmod 400 /etc/dirsrv/admin-srv/password.conf

#chown nobody:nobody  /etc/dirsrv/admin-serv/password.conf

#vim /etc/dirsrv/admin-serv/nss.conf
NNSPassPhraseDialog file://///etc/dirsrv/admin-serv/password.conf

Install the Certificate

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Select the Server Certs tab, and click Install.
  3. Give the certificate location or paste the certificate text in the text box, then click Next.

    • In this file. Enter the absolute path to the certificate in this field.
    • In the following encoded text block. Copy the text from the CA's email or from the created text file, and paste it in this field.
  4. Check that the certificate information displayed is correct, and click Next.
  5. Give a name to the certificate, and click Next.
  6. Provide the password that protects the private key. This password is the same as the one provided in step 5 inSection 11.2.1, “Step 1: Generate a Certificate Request”.
After installing the server certificate, configure the Directory Server to trust the CA which issued the server's certificate.

Trust the Certificate Authority

Configuring the Directory Server to trust the certificate authority consists of obtaining the CA's certificate and installing it into the server's certificate database. This process differs depending on the certificate authority. Some commercial CAs provide a web site that allow users to automatically download the certificate. Others will email it back to users.
After receiving the CA certificate, use the Certificate Install Wizard to configure the Directory Server to trust the certificate authority.
  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Go to the CA Certs tab, and click Install.
  3. If the CA's certificate is saved to a file, enter the path in the field provided. Alternatively, copy and paste the certificate, including the headers, into the text box. Click Next.
  4. Check that the certificate information that opens is correct, and click Next.
  5. Name the certificate, and click Next.
  6. Select the purpose of trusting this certificate authority; it is possible to select both options:
    • Accepting connections from clients (Client Authentication). The server checks that the client's certificate has been issued by a trusted certificate authority.
    • Accepting connections to other servers (Server Authentication). This server checks that the directory to which it is making a connection (for replication updates, for example) has a certificate that has been issued by a trusted certificate authority.
  7. Click Done.
Once both the server and CA certificates are installed, it is possible to configure the Directory Server to run in TLS/SSL. However, Red Hat recommends verify ingthat the certificates have been installed correctly.

Confirm That The New Certificates Are Installed

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
  2. Select the Server Certs tab.
    A list of all the installed certificates for the server opens.
  3. Scroll through the list. The certificates installed previously should be listed.
It is now possible to set up the Directory Server to run in TLS/SSL

No comments:

Post a Comment