Verifying the Certificates Using dsadm (Sun Java System Directory Server Enterprise Edition 6.3 Troubleshooting Guide)

Sun Java System Directory Server Enterprise Edition 6.3 Troubleshooting Guide

Verifying the Certificates Using `dsadm`

The certificates database resides instance-path/alias directory. Get the contents of this directory for each server involved in the problem.

For example, to see a list of the certificates that can be used as ns-slapd certificates (certificates with a u,, trust flags) use the dsadm command as follows:

dsadm list-certs instance-path

The command lists the certificates, such as defaultCert, the date from which it is valid, the date it expires, whether it is self-signed, who issued it, and to whom it is issued.

To see information about valid and trusted CA certificates (certificates with CT,, trust flags) use the dsadm command as follows:

dsadm list-certs --ca instance-path

This command provides the certificate alias, its dates of validity and expiration, whether it is built in, who issued it, and to whom it was issued. Verify that the SSL server and client certificates are generated by a certificate authorities that appear in the output of this command.

For detailed information about a particular certificate, use the dsadm command as follows:

dsadm show-cert instance-path certificate-alias

For example, the output of this command appears as follows:

server1 [/var/dsee/instances]> dsadm show-cert ds1 defaultCert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:85:8b:13:ef
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer:
            "CN=server1,CN=Directory Server,O=example.com"
        Validity:
            Not Before: Fri Mar 23 14:10:51 2007
            Not After : Sat Jun 23 14:10:51 2007
        Subject:
            "CN=server1,CN=Directory Server,O=example.com"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    9a:c9:52:bd:ec:32:43:1a:39:96:90:02:f5:7e:18:45:
                    78:37:ca:8d:8f:c4:cc:6f:d1:7e:6c:38:d1:a1:53:41:
                    96:67:07:c7:c8:56:78:d1:f2:24:df:1f:eb:b2:07:5d:
                    6e:1f:58:fa:7a:f2:00:e4:95:d1:57:97:37:9d:22:31:
                    1c:b7:99:29:df:a3:8a:2a:87:e1:8b:54:ea:1f:7c:b7:
                    28:23:ce:be:7e:73:b3:87:f5:32:88:56:4e:58:68:f6:
                    f6:01:2c:51:ca:07:00:40:ca:b3:9e:33:40:e8:f2:18:
                    bc:16:d4:ac:ae:69:a7:c9:d7:g5:34:d4:87:11:2c:b1
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Signature:
        29:76:4f:9f:ca:00:09:7b:05:ac:0f:26:6f:d1:93:aa:
        a8:c0:eb:a9:2a:39:e2:6e:08:0a:90:41:e5:7f:18:4a:
        17:05:03:04:9b:ee:0a:dc:3c:ef:ee:aa:fc:ea:85:bf:
        f9:05:32:65:35:2c:e8:1f:32:9d:d6:a7:aa:68:a4:7a:
        e8:d9:4a:a0:a6:bc:fd:36:ba:d3:80:8a:1b:d3:81:8a:
        68:1a:73:cc:36:7a:92:dc:eb:ec:af:02:6b:14:c7:77:
        e3:7d:95:19:e7:17:9d:d2:35:67:60:6b:9f:9b:d9:af:
        01:f2:55:7f:5f:ce:23:a0:49:67:01:cd:30:38:8b:d2
    Fingerprint (MD5):
        B8:34:27:AA:02:F6:07:FC:8F:D1:4A:AD:38:29:09
    Fingerprint (SHA1):
        3C:3B:BD:15:E8:1F:68:2E::E8:EJ:02:63:CD:8F:39:BE:DD:70

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            User
        Object Signing Flags:
            User

Confirm the validity of the certificate. Also, confirm that the issuer of the certificate is a valid and trusted certificate authority.