directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mat Gessel <>
Subject Re: Can't connect w/ encryption after loading a custom certificate
Date Wed, 27 Jun 2012 19:23:07 GMT
Figured it out. In this case the handshake error means that the data
being served does not cryptographically correspond to the trusted
certificate. The value of "userCertificate" must be derived from the
value of "privateKey". If you change "userCertificate" on
"uid=admin,ou=system" you must also change "privateKey" to the
corresponding private key.

Getting a private key and corresponding certificate is a bit difficult
with keytool (the Java key/certificate tool) because keytool does not
expose private keys. Here is the procedure I came up with (copied from
another document):

*** Installing a Certificate Generated By Keytool ***

When you create a new server, a private key and certificate are
automatically created on the admin entry (uid=admin,ou=system).
Unfortunately, the certificate references an non-existant issuer. This
means that clients which expect a valid certificate cannot connect to
the server.

In this procedure we will:
1. create a keystore containing a private key & certificate.
2. export the certificate
3. export the public key to X.509/DER format
4. export the private key to PKCS#8/DER format
5. import the keys and certificate to ApacheDS

# create a PKCS#12 keystore containing a 2048 bit RSA private key and
a certificate for localhost
# the CN must match the host name of the server. A CN of "localhost"
will not work for ldaps://my-server:389 or vice-versa
# we create a keystore in PKCS#12 format for consumption by OpenSSL
keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -alias
ldap -dname "cn=localhost" -keypass changeit -keystore ldap.p12
-storepass changeit -storetype PKCS12

# extract a certificate from the keystore
keytool -exportcert -alias ldap -rfc -keystore ldap.p12 -storepass
changeit -storetype PKCS12 -file ldap.cer

# extract the private key from the keystore
openssl pkcs12 -in ldap.p12 -passin pass:changeit -nodes -nocerts |
openssl rsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out

# derive a public key from the private key in the keystore (this may
be incorrect, but it does not seem to matter for ApacheDS)
openssl pkcs12 -in ldap.p12 -passin pass:changeit -nodes -nocerts |
openssl rsa -pubout -outform DER -out ldap-publickey.der

# import the server certificate to the truststore for V-Flex to use
# this is a self-signed (root) certificate, so you be asked to confirm
that you trust it
keytool -importcert -alias ldap -keystore .truststore -storepass
changeit -keypass changeit -file ldap.cer

To utilize the keys and certificate in ApacheDS:
1. browse to uid=admin,ou=system in the LDAP Browser
2. double-click on privateKey, click Load Data..., select
ldap-privatekey.der and click OK
3. double-click on publicKey, click Load Data..., select
ldap-publickey.der and click OK
4. double-click on userCertificate, click Load Certificate..., select
ldap.cer and click OK
5. disconnect from the server
6. stop the server
7. restart the server
8. connect to the server
9. accept the new certificate as trusted

Mat Gessel

On Tue, Jun 26, 2012 at 12:30 PM, Mat Gessel <> wrote:
> However, I am unable to connect
> when I specify a self-signed certificate for the server (via
> uid=admin,ou=system).

View raw message