directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <seelm...@apache.org>
Subject Re: [ApacheDS] Setting up my own certificate for SSL
Date Wed, 17 Dec 2008 21:08:59 GMT
Hi Stefan,

Stefan Zoerner schrieb:
> Hi all,
> 
> I am facing some problems with the current (since 1.5.3, I assume) SSL
> configuration. In earlier days, it was possible to provide a keystore
> with the public/private key, certificate etc. here
> 
> http://cwiki.apache.org/confluence/display/DIRxSRVx11/3.3.+How+to+enable+SSL
> 
> 
> Now, the server creates a keypair when it starts the first time and
> stores it in the entry uid=admin,ou=system, in different attributes.
> 
> To be honest: This is an example why our documentation is so bad. The
> old behavior has been well described in the docs. Someone changed it
> completely, and did not update the docs. Same situation holds true for
> the whole configuration. :-(
> 
> Nevertheless, the new SSL functionality seems to be simpler, because it
> is possible to set it up automatically. But if I plan to use a custom
> certificate, it should be at least possible. Today, there was a
> corresponding question on the user list.
> 
> I wanted to update the docs to reflect the changes, and I am still
> trying to figure out, what an easy way for our users would be.
> 
> A question for the current implementation: Is there any way to
> configure/influence the key creation at startup? I assume no, but
> perhaps I am missing something.

I have no idea. The only direction I could point you to the class where
the initial private key and certificate are created, see [1].

> 
> Currently, the only way to set up my own certificate is modifying the
> attribute values for uid=admin,ou=system
> 
> This is not an easy task, because we do not have any tools for that.
> There is no wizard in Studio yet. Even if there would be one -- it
> should be possible without a UI client, ...

You are right, if we create some tooling we should put all common code
into the shared libraries, and then create a wizard for studio and a
CL-tool.

> 
> I was able to store my private key, but I am a little bit confused about
> some attribute. What exactly is contained in userCertificate and what in
> publicKey?
> 
> I assume, userCertificate holds the certificate the server presents to
> client. But why do we need publicKey as well. I think it is contained in
> the userCertificate. No?

I assume too.

Kind Regards,
Stefan


[1]
http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java?view=markup

Mime
View raw message