directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: Can't connect w/ encryption after loading a custom certificate
Date Thu, 28 Jun 2012 09:13:45 GMT
Hi Mat,

Indeed, both attributes need to be in sync to work correctly.

Thanks for the detailed step by step procedure.

Regards,
Pierre-Arnaud


On 27 juin 2012, at 21:23, Mat Gessel wrote:

> Figured it out. In this case the handshake error means that the data
> being served does not cryptographically correspond to the trusted
> certificate. The value of "userCertificate" must be derived from the
> value of "privateKey". If you change "userCertificate" on
> "uid=admin,ou=system" you must also change "privateKey" to the
> corresponding private key.
> 
> Getting a private key and corresponding certificate is a bit difficult
> with keytool (the Java key/certificate tool) because keytool does not
> expose private keys. Here is the procedure I came up with (copied from
> another document):
> 
> *** Installing a Certificate Generated By Keytool ***
> 
> When you create a new server, a private key and certificate are
> automatically created on the admin entry (uid=admin,ou=system).
> Unfortunately, the certificate references an non-existant issuer. This
> means that clients which expect a valid certificate cannot connect to
> the server.
> 
> In this procedure we will:
> 1. create a keystore containing a private key & certificate.
> 2. export the certificate
> 3. export the public key to X.509/DER format
> 4. export the private key to PKCS#8/DER format
> 5. import the keys and certificate to ApacheDS
> 
> # create a PKCS#12 keystore containing a 2048 bit RSA private key and
> a certificate for localhost
> # the CN must match the host name of the server. A CN of "localhost"
> will not work for ldaps://my-server:389 or vice-versa
> # we create a keystore in PKCS#12 format for consumption by OpenSSL
> keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -alias
> ldap -dname "cn=localhost" -keypass changeit -keystore ldap.p12
> -storepass changeit -storetype PKCS12
> 
> # extract a certificate from the keystore
> keytool -exportcert -alias ldap -rfc -keystore ldap.p12 -storepass
> changeit -storetype PKCS12 -file ldap.cer
> 
> # extract the private key from the keystore
> openssl pkcs12 -in ldap.p12 -passin pass:changeit -nodes -nocerts |
> openssl rsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out
> ldap-privatekey.der
> 
> # derive a public key from the private key in the keystore (this may
> be incorrect, but it does not seem to matter for ApacheDS)
> openssl pkcs12 -in ldap.p12 -passin pass:changeit -nodes -nocerts |
> openssl rsa -pubout -outform DER -out ldap-publickey.der
> 
> # import the server certificate to the truststore for V-Flex to use
> # this is a self-signed (root) certificate, so you be asked to confirm
> that you trust it
> keytool -importcert -alias ldap -keystore .truststore -storepass
> changeit -keypass changeit -file ldap.cer
> 
> To utilize the keys and certificate in ApacheDS:
> 1. browse to uid=admin,ou=system in the LDAP Browser
> 2. double-click on privateKey, click Load Data..., select
> ldap-privatekey.der and click OK
> 3. double-click on publicKey, click Load Data..., select
> ldap-publickey.der and click OK
> 4. double-click on userCertificate, click Load Certificate..., select
> ldap.cer and click OK
> 5. disconnect from the server
> 6. stop the server
> 7. restart the server
> 8. connect to the server
> 9. accept the new certificate as trusted
> 
> -- 
> Mat Gessel
> http://www.asquare.net
> 
> On Tue, Jun 26, 2012 at 12:30 PM, Mat Gessel <mat.gessel@gmail.com> wrote:
>> However, I am unable to connect
>> when I specify a self-signed certificate for the server (via
>> uid=admin,ou=system).


Mime
View raw message