directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thorsten Kampe <thors...@thorstenkampe.de>
Subject Re: Certificate for TLS connection to ApacheDS
Date Sun, 12 Jul 2009 19:17:07 GMT
* Stefan Seelmann (Sun, 12 Jul 2009 20:11:06 +0200)
> Thorsten Kampe schrieb:
> > * Kiran Ayyagari (Sun, 12 Jul 2009 12:47:15 +0530)
> >>> I'm trying to bind to ApacheDS 1.5.4 via TLS with Python-LDAP. For
> >>> that ("OPT_X_TLS_CACERTFILE") I need the "X.509 certificate of the
> >>> CA that certified the LDAP server's public key".
> >>>
> >>> Where or how can I get that key?
> >> The certificate and the key pair data is stored in the admin entry
> >> with DN uid=admin,ou=system
> >>
> >> P.S:- You can use Apache Directory Studio to extract the required
> >> information.
> > 
> > Thanks for the response. Could you elaborate? I tried to get the 
> > certificate with LDAP Admin, Softerra LDAP Browser and LDAPSoft's LDAP 
> > Browser but I was not able to establish a TLS connection with those 
> > certificate(s) (while it worked to Active Directory and eDirectory).
> > 
> > Do I have to export publicKey, privateKey or userCertificate? How can I 
> > export that with Apache Directory Studio?
> 
> The certificate of a default ApacheDS installation is self-singed (thus
> its own CA certificate) and stored in userCertificate attribute of
> uid=admin,ou=system. You could just save the value (Using Studio or any
> other tool):
> - Go to uid=admin,ou=system
> - In the Entry Editor, edit the userCertificate attribute, this should
> open the "Hex Editor" (in Studio 1.5 there will be a certificate
> viewer/editor and certificate validation, btw)
> - Use the "Save" button in the opened dialog and save it to disk
> - The certificate is stored in DER format.
> 
> Please see additionally [1] for more information of the SSL/StartTLS
> configuration and certificate handling. The page is not up-to-date, but
> most information is still valid.

Works but when I try to use that certificate (exported in PEM/Base64 
format) I get: "TLS: hostname does not match CN in peer certificate" - 
which is true: CommonName is "ApacheDS". Can I simply create another 
certificate (or use an existing one) and ApacheDS will accept it via the 
hexeditor?

Thorsten


Mime
View raw message