9

In my research, I found some RFCs that have not been updated in over a decade, e.g draft-ietf-pkix-ldap-crl-schema-01.

I also explored several public directories used in PKI (e.g. x500.bund.de) and established that they chose not to stick to that RFC. Other directories I found did not follow that recommendation either.

At this point I am under the impression that people roll their own schema, as I failed to find some consensus in this regard.

What reading material do you recommend for determining a schema for PKI? And in the same context, if you happen to run such a server - what schema did you choose, and why?

ralien
  • 265
  • 1
  • 5

2 Answers2

1

I'm assuming you're trying to deploy your own LDAP backed certificate service. The best matching schema for this purpose is the cosine schema available in all OpenLDAP installations. If you don't want to install the openldap server just to get the schema, then simply extract it from the source code here - http://www.openldap.org/software/download/ . The cosine schema can be found in folder servers\slapd\schema under the root directory of the source code.

Since I don't know the full details of your requirement, I'm guessing that at the minimum set of attribute types that you would need to store for a PKI would be: public certificates of the user, CA certificates and certificate revocation lists. These attributes are available in this schema.

In case you need specific tweaks and customization, you can always add your own supporting schema with additional attributes or objects with custom mix 'n match of attributes. See this reference for more details - http://www.openldap.org/doc/admin24/schema.html . I've had to do this on several occasions, and its difficult to get the syntax right initially, but its straightforward once you get the hang of it.

Sandeep S. Sandhu
  • 402
  • 3
  • 5
  • Thank you for your answer. I have checked the corresponding RFC 4524 and found no references to certificate revocation lists or any PKI related entries. Inside cosine.schema some of these attributes are mentioned, but they are commented out. Am I correct when I say that this schema cannot be used 'as is', and that its application in LDAP for PKI requires tweaking? – ralien Jun 24 '16 at 08:04
  • Yes Alex, I'll give reference from the latest source code which I got from the openldap website - ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz. The file cosine.schema does have many pki related attributes defined but commented out. For example: line 1613 has certificationAuthority, lines 2089 to 2111 define attributes such as certificates, certificate pairs and CRLs. You would need to re-write them in schema format either in an LDIF file or on the openldap modify schema session. – Sandeep S. Sandhu Jun 24 '16 at 08:45
0

Most deployments use RFC 4523 which also specifies the attributes certificateRevocationList and authorityRevocationList.

Community
  • 1
Michael Ströder
  • 307
  • 1
  • 6