3

I am trying to setup a new 389 Directory Server in a RHEL machine and I am trying to configure SSL for LDAPS using the command line.

I have just spent several hours digging through every piece of information on how to do this but every page keeps talking about certutil for generating CAs and Certificates. I already have the certificates and the corresponding CA chain file for importing in the server and don't want to have the LDAP server generate them.

Am I missing something? Certutil has a -A flag for adding certificates to the database but I could not find a way to add the key as well, only the public part of the certificate which is a bit useless without he corresponding key.

ByteFlinger
  • 193
  • 1
  • 7

1 Answers1

2

Answering my own question. Turns out you can perform the import of certificate and keys from a p12 using pk12util however there are some issues with it. These are based on the binaries that follow with redhat DS 9.0

Pk12util will not respect the -n flag on import. The imported certificate entry nickname will be the alias in the p12 file. Also, for whatever reason, I had issues when importing 2 different certificates with different nicknames in their p12 keystores. The nickname in the store would end up the same as another one in there. This may have be triggered by the fact that the subject of the certificates were the same. Adding OU attribute with different values fixed the issue. Certutil can then be used to import the CA certificates

ByteFlinger
  • 193
  • 1
  • 7
  • Ah thanks, this was pretty instant. Not sure why the 389 admin tool doesn't accept P12's to be imported. – Adambean Apr 13 '16 at 19:49