Managing certificates with dsadm
I was working with dsadm on a Sun Directory Server 6.2 install yesterday and ran into a snag with using the cert-export/cert-import functionality. Here are my notes:
1) When using the dsadm cert-export command, you provide a cert alias name, but it actually exports all your certificates.
2) When using dsadm cert-import, I had a problem where it re-imported the serverCert and caCert but the trust permissions on caCert weren’t correct. This caused outbound SSL connections to fail since it wasn’t able to validate the other server’s certificate. (this scenario was for an in-house certificate authority, so it may not apply for people using certificates issued by Verisign and the like)
You can read about the NSS trust flags at the certutil man page.
Steps to show/fix the caCert trust issue (using the certutil located in /usr/sfw/bin on Solaris 10)
——————————————————————————————————-
# look at the trust settings for caCert, which should be C,,
/var/directory/master1/alias> certutil -L -d . -P slapd-
defaultCert CTu,u,u
serverCert u,u,u
caCert c,c,
# modify the trust settings to the right values
/var/directory/master1/alias> certutil -M -n caCert -t C,, -d . -P slapd-
# list the trust settings again, now they are correct
/var/directory/master1/alias> certutil -L -d . -P slapd-
defaultCert CTu,u,u
serverCert u,u,u
caCert C,,