New server certificate for LDAPS

OpenDJ logo

Some notes on creating and using a new server certificate for LDAPS with OpenDJ.

This version shows the command-line configuration.

Step 1. Generate and self-sign the server certificate using the keytool command.

The keytool command comes with the Java environment.

mark@mark-netbook:~/OpenDJ$ keytool -genkey -alias server-cert \
 -keyalg rsa -dname "CN=mark-netbook,O=Example Corp,C=FR" \
 -keystore config/keystore -storepass changeit -keypass changeit
mark@mark-netbook:~/OpenDJ$ keytool -selfcert -alias server-cert \
 -keystore config/keystore -storepass changeit

Notice the hostname on the CN attribute matches the hostname used on the laptop for this test installation.

Also notice that a JKS keystore is created here in the OpenDJ/config/ directory.

Step 2. Start the dsconfig command in interactive mode.

mark@mark-netbook:~/OpenDJ$ ./bin/dsconfig

>>>> Specify OpenDS LDAP connection parameters

Directory server hostname or IP address [mark-netbook]: 

Directory server administration port number [4444]: 

Administrator user bind DN [cn=Directory Manager]: 

Password for user 'cn=Directory Manager': 

>>>> OpenDS configuration console main menu

What do you want to configure?

    1)   Access Control Handler               23)  Log Rotation Policy
    2)   Account Status Notification Handler  24)  Matching Rule
    3)   Administration Connector             25)  Monitor Provider
    4)   Alert Handler                        26)  Network Group
    5)   Attribute Syntax                     27)  Network Group QOS Policy
    6)   Backend                              28)  Password Generator
    7)   Certificate Mapper                   29)  Password Policy
    8)   Connection Handler                   30)  Password Storage Scheme
    9)   Crypto Manager                       31)  Password Validator
    10)  Debug Target                         32)  Plugin
    11)  Entry Cache                          33)  Plugin Root
    12)  Extended Operation Handler           34)  Replication Domain
    13)  Extension                            35)  Replication Server
    14)  External Changelog Domain            36)  Root DN
    15)  Global Configuration                 37)  Root DSE Backend
    16)  Group Implementation                 38)  SASL Mechanism Handler
    17)  Identity Mapper                      39)  Synchronization Provider
    18)  Key Manager Provider                 40)  Trust Manager Provider
    19)  Local DB Index                       41)  Virtual Attribute
    20)  Local DB VLV Index                   42)  Work Queue
    21)  Log Publisher                        43)  Workflow
    22)  Log Retention Policy                 44)  Workflow Element

    q)   quit

Enter choice:

Step 3. Configure the File Based Key Manager Provider for JKS to use the filename and keystore PIN that you set up with the keytool command.

>>>> Configure the properties of the File Based Key Manager Provider

        Property                            Value(s)
        ---------------------------------------------------
    1)  enabled                             true
    2)  key-store-file                      config/keystore
    3)  key-store-pin                       changeit
    4)  key-store-pin-environment-variable  -
    5)  key-store-pin-file                  -
    6)  key-store-pin-property              -
    7)  key-store-type                      JKS

    ?)  help
    f)  finish - apply any changes to the File Based Key Manager Provider
    c)  cancel
    q)  quit

Enter choice [f]: 

The File Based Key Manager Provider was modified successfully

Step 4. Configure the File Based Trust Manager Provider for JKS to use the keystore and PIN you set up.

>>>> Configure the properties of the File Based Trust Manager Provider

        Property                              Value(s)
        -----------------------------------------------------
    1)  enabled                               true
    2)  trust-store-file                      config/keystore
    3)  trust-store-pin                       changeit
    4)  trust-store-pin-environment-variable  -
    5)  trust-store-pin-file                  -
    6)  trust-store-pin-property              -
    7)  trust-store-type                      JKS

    ?)  help
    f)  finish - apply any changes to the File Based Trust Manager Provider
    c)  cancel
    q)  quit

Enter choice [f]: 

The File Based Trust Manager Provider was modified successfully

Step 5. Configure the listen-port and enabled properties of the LDAPS Connection Handler as shown below.

>>>> Configure the properties of the LDAP Connection Handler

         Property                Value(s)
         ----------------------------------------------------------------------
    1)   allow-ldap-v2           true
    2)   allow-start-tls         false
    3)   allowed-client          All clients with addresses that do not match
                                 an address on the deny list are allowed. If
                                 there is no deny list, then all clients are
                                 allowed.
    4)   denied-client           If an allow list is specified, then only
                                 clients with addresses on the allow list are
                                 allowed. Otherwise, all clients are allowed.
    5)   enabled                 true
    6)   keep-stats              true
    7)   key-manager-provider    JKS
    8)   listen-address          0.0.0.0
    9)   listen-port             1636
    10)  ssl-cert-nickname       Let the server decide.
    11)  ssl-cipher-suite        Uses the default set of SSL cipher suites
                                 provided by the server's JVM.
    12)  ssl-client-auth-policy  optional
    13)  ssl-protocol            Uses the default set of SSL protocols provided
                                 by the server's JVM.
    14)  trust-manager-provider  JKS
    15)  use-ssl                 true

    ?)   help
    f)   finish - apply any changes to the LDAP Connection Handler
    c)   cancel
    q)   quit

Enter choice [f]: 

The LDAP Connection Handler was modified successfully

Step 6. Try a search using SSL to check that your new certificate is in place.

mark@mark-netbook:~/OpenDJ$ ./bin/ldapsearch --port 1636 --useSSL \
 --baseDN "" --searchScope base "(objectclass=*)"

The server is using the following certificate:
Subject DN:  CN=mark-netbook, O=Example Corp, C=FR
Issuer DN:  CN=mark-netbook, O=Example Corp, C=FR
Validity:  Tue Apr 05 16:47:26 CEST 2011 through Mon Jul 04 16:47:26 CEST 2011
Do you wish to trust this certificate and continue connecting to the server?
Please enter "yes" or "no":yes
dn:
objectClass: top
objectClass: ds-root-dse

Of course, this self-signed certificate should not be trusted by default by client applications, but could be used for tests.