«
»

Self-Signed Certificates with Sun’s Directory Server 6

This is basically a rehash of an email conversation I had on a mailing list with someone who was trying to get ldapsearch and the Solaris LDAP namesevice commands to communicate with a DS 6 instance over SSL.

Problem: The self-signed certs generated by DS6 have a certificate name that doesn’t validate properly to tools like the Solaris 10 ldapsearch command or ldap_cachemgr when used in SSL mode.

Background: Any SSL based software that wants to verify certificates will compare the subject/cn of the certificate against the hostname of the server.
The default subject of the DS6 auto-generated certs looks something like this:

CN=$SHORTNAME,CN=636,CN=Directory Server,O=Sun Microsystems

Solution: In order to work with software that validates that the hostname matches the subject, we need to remove the existing certificate and create a new certificate with a subject. that matches the hostname. The steps below will generate a self-signed cert with a proper subject :

# dsadm stop $PATH_TO_YOUR_INSTANCE

# dsadm remove-cert $PATH_TO_YOUR_INSTANCE defaultCert
(will see error msg: You are going to remove the certificate used by the instance. You will not be able to restart the instance.)

# dsadm add-selfsign-cert -S cn=$YOUR_FQDN_HERE \

         $PATH_TO_YOUR_INSTANCE  defaultCert

# dsadm start $PATH_TO_YOUR_INSTANCE

Once you have done this, you will still need to export the certificate and import it into your certificate database (typically cert7.db/cert8.db for NSS based commands or a java keystore).

This entry was posted on Thursday, April 26th, 2007 at 2:30 pm and is filed under ldap, solaris, ssl, technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Self-Signed Certificates with Sun’s Directory Server 6”

  1. Rick Says:
    May 17th, 2007 at 8:11 pm

    Thanks for the info. The self-signed cert is only valid for 3 months. Do you know a process to extend that to a year? I have scripted out the cert creation for DS 5.2P4, but doesn’t seem to work for DS 6.0.

    Its kind of a pain to upgrade all my DS 5.2P4 servers to DS 6 and push out keys for native ldap clients only to renew and redeploy those keys in 3 months. What a PITA!

  2. William Hathaway Says:
    May 20th, 2007 at 1:12 am

    Hi Rick,
    In general for certificate management, my preference is to generate a CA certificate and use that to sign server certificates (using certutil or whatever cert management tool you have). With that method, you only need to push out the CA certificate used for signing out to clients, not individual server certificates.

    The tip I published above was quick way to get testing done, but I agree the current 3 month limitation when using the bundled dsadm command for certificate generation doesn’t work well outside of testing scenarios. If you have a Solaris 10 machine, you will likely have a copy of certutil in /usr/sfw/bin.

Leave a Reply

Copyright © 2012 williamhathaway.com. All Rights Reserved.
No computers were harmed in the 0.446 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.