directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: [ApacheDS] Setting up my own certificate for SSL
Date Thu, 18 Dec 2008 13:04:55 GMT
Stefan Seelmann wrote:
> Hi Stefan,
> Stefan Zoerner schrieb:
>> Hi all,
>> I am facing some problems with the current (since 1.5.3, I assume) SSL
>> configuration. In earlier days, it was possible to provide a keystore
>> with the public/private key, certificate etc. here
>> Now, the server creates a keypair when it starts the first time and
>> stores it in the entry uid=admin,ou=system, in different attributes.
>> To be honest: This is an example why our documentation is so bad. The
>> old behavior has been well described in the docs. Someone changed it
>> completely, and did not update the docs. Same situation holds true for
>> the whole configuration. :-(
>> Nevertheless, the new SSL functionality seems to be simpler, because it
>> is possible to set it up automatically. But if I plan to use a custom
>> certificate, it should be at least possible. Today, there was a
>> corresponding question on the user list.
>> I wanted to update the docs to reflect the changes, and I am still
>> trying to figure out, what an easy way for our users would be.
>> A question for the current implementation: Is there any way to
>> configure/influence the key creation at startup? I assume no, but
>> perhaps I am missing something.
> I have no idea. The only direction I could point you to the class where
> the initial private key and certificate are created, see [1].
The KeyStore is created at startup :

            Provider provider = Security.getProvider( "SUN" );
            LOG.debug( "provider = {}", provider );
            CoreKeyStoreSpi coreKeyStoreSpi = new CoreKeyStoreSpi( 
getDirectoryService() );
            KeyStore keyStore = new KeyStore( coreKeyStoreSpi, provider, 
"JKS" ) {};
                keyStore.load( null, null );
            catch ( Exception e )
                // nothing really happens with this keystore
            chain = LdapsInitializer.init( keyStore );

(this is in LdapService.start() method).

I don't know how good it is to specifically use the "SUN" security 
provider compared to any other (Bouncy Castle or whatever), and I'm 
pretty sure that many users would like to use their own pre-existing 

This is an area where we are lacking expertise, that's for sure. I wish 
we can have a better SSL handling for the upcoming 1.5.5 version, and 
I'm ready to spend some times on that in te next two weeks, but I would 
also appreciate any help, as I'm not a specialist in java security...
>> Currently, the only way to set up my own certificate is modifying the
>> attribute values for uid=admin,ou=system
>> This is not an easy task, because we do not have any tools for that.
>> There is no wizard in Studio yet. Even if there would be one -- it
>> should be possible without a UI client, ...
> You are right, if we create some tooling we should put all common code
> into the shared libraries, and then create a wizard for studio and a
> CL-tool.
Kiran is proposing to work on this CL tool, I think it's a good idea. An 
d for sure it _must be available in studio and a as CL, with a common part.

cordialement, regards,
Emmanuel L├ęcharny

View raw message