directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pieter Neerincx <>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Tue, 27 Apr 2010 16:34:38 GMT
Hi Stefan,

I'm having the same problem and learned the hard way that storing the certificate + private
key in the DS is not a smart thing to do. If you make a mistake as I apparently did, the server
will refuse to start, so I basically locked myself out. Or at least I don't know how to change
the values without Apache Directory Studio. Fortunately that was just a test instance and
no production server (yet) :). I have an OpenSSL certificate, which I managed to convert into
a keystore that I hope I can use with a future version of ApacheDS, but for the time being
I would appreciate any advise on how to extract the certificate + keys from the keystore in
the right format for the Admin Entry...



> Stefan Seelmann wrote on Wed, 06 Jan 2010 04:29:18 -0800
> Hi Matthias,
> Matthias Cramer wrote:
>     As it looks like, the starttls extension does not honor the keystore
>     configured in the ldapServer config.
> Yes, you are right. I just checked the source code and the configured keystore in server.xml
isn't used for StartTLS extended operation :-/
> You could find the certificate and key that is use in the Admin Entry (uid=admin,ou=system):
> dn: uid=admin,ou=system
> keyAlgorithm: RSA
> privateKey:: ...
> privateKeyFormat: PKCS#8
> publicKey:: ...
> publicKeyFormat: X.509
> userCertificate:: ...
> ...
> What you need to do is to extract the private key, public key and certificate from your
keystore and replace the attributes privateKey, publicKey and userCertificate with those guys.
You could use Portacle and OpenSSL to extract those information. If you need further help
don't hesitate to ask.
> Not very user friendly right now...
> Kind Regards,
> Stefan

mobile: +31 6 143 66 783

View raw message