OpenDJ: More fun with certs

OpenDJ Community Logo In looking at writing doc on how to move OpenDJ servers, the tricky bit looked like switching certificates after changing hosts. As the server host name is embedded in a certificate, if you move a server you want to replace certificates, at least the admin-cert in the admin-keystore (for private keys) and in the admin-truststore. You can replace the admin-cert with another self-signed cert.

  1. Remove the certificate to replace from the keystore and from the truststore.
    $ keytool -delete -alias admin-cert -keystore admin-keystore \
    > -storepass `cat admin-keystore.pin`
    $ keytool -delete -alias admin-cert -keystore admin-truststore \
    > -storepass `cat admin-keystore.pin`
  2. Generate the private key, storing it in the keystore.
    $ keytool -genkey -alias admin-cert -keyalg RSA \
    > -dname "CN=hostname, O=Administration Connector Self-Signed Certificate" \
    > -keystore admin-keystore -storepass `cat admin-keystore.pin` \
    > -keypass `cat admin-keystore.pin`
  3. Self-sign what you generated.
    $ keytool -selfcert -alias admin-cert -keystore admin-keystore \
    > -storepass `cat admin-keystore.pin`
  4. Export the certificate from the keystore.
    $ keytool -export -alias admin-cert -keystore admin-keystore \
    > -storepass `cat admin-keystore.pin` -file admin-cert.crt
    Certificate stored in file <admin-cert.crt>
  5. Import the certificate into the truststore.
    $ keytool -import -alias admin-cert -keystore admin-truststore \
    > -storepass `cat admin-keystore.pin` -file admin-cert.crt
    Owner: CN=hostname, O=Administration Connector Self-Signed Certificate
    Issuer: CN=hostname, O=Administration Connector Self-Signed Certificate
    Serial number: 4e0321c6
    Valid from: Thu Jun 23 13:21:42 CEST 2011 until: Wed Sep 21 13:21:42 CEST 2011
    Certificate fingerprints:
      MD5:  5C:4B:CC:9A:37:E2:71:BD:C4:86:8E:FC:D4:37:39:57
      SHA1: 70:D0:36:0D:EB:0D:AC:45:6D:A4:EF:8A:8E:CB:C7:04:7D:3A:EE:6E
      Signature algorithm name: SHA1withRSA
      Version: 3
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

Going to add this in the right place in the Admin Guide pretty soon. You might also want to do something like this if your self-signed cert gets so old that it is no longer valid.

Advertisements

5 Comments

Filed under Directory Services and LDAP

5 responses to “OpenDJ: More fun with certs

  1. Manuel

    Mark,
    thanks for this article. The procedure for changing those certficates wasn’t documented very well (or at least I haven’t found it yet). Now it is.
    But I think that the

    ads-truststore

    also becomes relevant if the instance is part of a (securely) replicated topology and the hostname referenced in

    ads-certificate

    changes. Am I right?
    So it would be nice to see some documentation that addresses the certificate stuff that’s relevant when using secure replication between OpenDJ instances…
    Manuel

  2. Hi Manuel,

    The update to the Admin Guide that I posted yesterday covers the question in a bit more detail, explaining the different keystores at the outset of the procedure, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#d1041e5100.

    Basically secure replication depends on the public certs from other replicas in the ads-truststore, and the server certs in the admin-keystore and admin-truststore. OpenDJ works out the certificates when you enable replication.

  3. Simo

    Hi Mark,
    How to change to admin keystore, the admin trutstore and the ads-trusttore locations?
    Can those be set during opendj installation ?

    Thanks,
    Simo

    • Hi Simo,

      The locations of the key stores and trust stores are specified in OpenDJ’s configuration.

      It looks like you can set them at installation time. For example, the setup command can take options like –useJavaKeystore {keyStorePath}. (See the reference at http://docs.forgerock.org/en/opendj/2.6.0/admin-guide/index/setup-1.html for details.)

      To see how to change the locations after installation, try using dsconfig in interactive mode. You can start dsconfig in interactive mode by entering the command with no options or only the connection options. Then look at the “Key Manager Provider” and “Trust Manager Provider” menu options. The “Crypto Manager” also lets you set the alias of the cert used for replication.

      Hope it helps,
      Mark

  4. As usual java certificate management is about 10 times worse than openssl. SL:”FWEHDK:L”EFHKK”HEFKL”H”:HCVKLE”HCKL”HEL”CHE”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s