Chapter 19 Directory Proxy Server Certificates

This chapter describes how to configure certificates on Directory Proxy Server. For information about configuring certificates on Directory Server, see Managing Certificates.

The procedures in this chapter use the dpadm and dpconf commands. For information about these commands, see the dpadm(1M) and dpconf(1M) man pages.

This chapter covers the following topics:

• Default Self-Signed Certificate

• Creating, Requesting and Installing Certificates for Directory Proxy Server

• Renewing an Expired CA-Signed Certificate for Directory Proxy Server

• Listing Certificates

• Adding a Certificate From a Back-End LDAP Server to the Certificate Database on Directory Proxy Server

• Exporting a Certificate to a Back-End LDAP Server

• Backing Up and Restoring a Certificate Database for Directory Proxy Server

• Prompting for a Password to Access the Certificate Database

Default Self-Signed Certificate

When you create a Directory Proxy Server instance, it has a default self-signed certificate. A self-signed certificate is a public and private key pair, where the public key is self-signed by Directory Proxy Server.

Viewing the Default Self-Signed Certificate

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. View the default self-signed certificate.

   $ dpadm show-cert instance-path defaultservercert

Creating, Requesting and Installing Certificates for Directory Proxy Server

To run the Secure Sockets Layer (SSL) on Directory Proxy Server, you must either use a self-signed certificate or a Public Key Infrastructure (PKI) solution.

The PKI solution involves an external Certificate Authority (CA). For a PKI solution you need a CA-signed server certificate, which contains both a public key and a private key. This certificate is specific to one Directory Proxy Server instance. You also need a trusted CA certificate, which contains a public key. The trusted CA certificate ensures that all server certificates from your CA are trusted. This certificate is sometimes called a CA root key or root certificate.

For information about how to create a non-default self-signed certificate and to request and install a CA-signed certificate, see the following procedures.

To Create a Non-default Self-Signed Certificate for Directory Proxy Server

When you create a Directory Proxy Server instance, a default self-signed certificate is automatically provided. If you want to create a self-signed certificate with non-default settings, use this procedure.

The procedure creates the public and private key pair for a server certificate, where the public key is signed by Directory Proxy Server. A self-signed certificate is valid for three months.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. To create a non-default self-signed certificate for Directory Proxy Server, type:

   $ dpadm add-selfsign-cert instance-path cert-alias

   where cert-alias is the name of the self-signed certificate.

   For example, you could create a certificate called my-self-signed-cert as follows:

   $ dpadm add-selfsign-cert /local/dps my-self-signed-cert

   For a description of all command options, see the dpadm(1M) man page or type dpadm add-selfsign-cert --help at the command line.

To Request a CA-Signed Certificate for Directory Proxy Server

Self-signed certificates are useful for test purposes. However, in a production environment, using trusted Certificate Authority (CA) certificates is more secure.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Request a CA-signed server certificate.

   $ dpadm request-cert instance-path cert-alias

   where cert-alias is the name of the certificate that you are requesting. Certificate Authorities might require all of the options of the command to identify the server. For a description of all command options, see the dpadm(1M) man page.

   The process for obtaining a CA certificate depends on the CA that you use. Some commercial CAs provide a web site that allows you to download the certificate. Other CAs will send the certificate to you in email.

   For example, you could request a certificate called my-CA-signed-cert as follows:

   $ dpadm request-cert -S cn=my-request,o=test /local/dps my-CA-signed-cert -----BEGIN NEW CERTIFICATE REQUEST----- MIIBYDCBygIBADAhMQ0wCwYDVQQDEwRnZXJpMRAwDgYDVQQDEwdteWNlcnQ0MIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQC3v9ubG468wnjBDAMbRrEkmFDTQzT+LO30D/ALLXOiElVsHrtRyWhJ PG9cURI9uwqs15crxCpJvho1kt3SB9+yMB8Ql+CKnCQDHlNAfnn30MjFHShv/sAuEygFsN+Ekci5 W1jySYE2rzE0qKVxWLSILFo1UFRVRsUnORTX/Nas7QIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA fcQMnZNLpPobiX1xy1ROefPOhksVz8didY8Q2fjjaHG5lajMsqOROzubsuQ9Xh4ohT8kIA6xcBNZ g8FRNIRAHCtDXKOdOm3CpJ8da+YGI/ttSawIeNAKU1DApF9zMb7c2lS4yEfWmreoQdXIC9YeKtF6 zwbn2EmIpjHzETtS5Nk= -----END NEW CERTIFICATE REQUEST-----

   When you request a certificate by using the dpadm request-cert command, the certificate request is a PKCS #10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is the format specified by RFCs 1421 through 1424. For more information, see http://www.ietf.org/rfc/rfc1421.txt. The PEM format represents a base64-encoded certificate request in ASCII format.

   When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.

2. Send the certificate request to the CA, according to its procedures.

   After you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, the response time can be short. However, if the CA is external to your company, the CA can take several weeks to respond to your request.

3. Save the certificate that you receive from the CA.

   Save your certificate in a text file, and back up the certificate in a safe location.

To Install a CA-Signed Server Certificate for Directory Proxy Server

To trust the CA-signed server certificate, you must install the certificate on a Directory Proxy Server instance. This procedure installs the public key of a CA certificate to the certificate database on Directory Proxy Server.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. See if the trusted CA certificate for this CA is already installed.

   To do this, list all installed CA certificates, as described in To List CA Certificates.

2. If the trusted CA certificate is not installed, add it to the certificate database on the Directory Proxy Server instance.

   $ dpadm add-cert instance-path cert-alias cert-file

   where cert-alias is the name of the trusted CA certificate and cert-file is the name of the file containing the trusted CA certificate.

3. Install the CA-signed server certificate to the certificate database.

   $ dpadm add-cert instance-path cert-alias cert-file

   Where cert-alias is the name of the CA-signed server certificate and cert-file is the name of the file containing the CA-signed server certificate. Note that this cert-alias must be the same as the cert-alias used in the certificate request

   For example, you can add a CA-signed server certificate named CA-cert to the certificate database on/local/dps as follows:

   $ dpadm add-cert /local/dps CA-cert /local/safeplace/ca-cert-file.ascii

Renewing an Expired CA-Signed Certificate for Directory Proxy Server

This section describes how to renew an expired CA-signed server certificate.

To Renew an Expired CA-Signed Server Certificate for Directory Proxy Server

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Obtain an updated certificate from your CA.

2. Install the certificate on your instance of Directory Proxy Server.

   $ dpadm renew-cert instance-path cert-alias cert-file

   where cert-alias is the name of the new certificate and cert-file is the name of the file containing the certificate. For a description of all command options, see the dpadm(1M) man page.

Listing Certificates

For information about how to list server and CA certificates, see the following procedures.

To List Server Certificates

This procedure lists all certificates that are installed on an instance of Directory Proxy Server.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. List the server certificates in the certificate database on the Directory Proxy Server instance.

   $ dpadm list-certs instance-path

   By default, an instance of Directory Proxy Server contains a server certificate named defaultservercert. The text Same as issuer indicates that the default certificate is a self-signed server certificate.

   For example:

   $ dpadm list-certs /local/dps Alias Valid from Expires on Self-signed? Issued by Issued to ----------------- ---------------- ---------------- ------------ ------------------ -------------- defaultservercert 2006/06/01 04:15 2008/05/31 04:15 y CN=myserver:myport Same as issuer 1 certificate found.

To List CA Certificates

This procedure lists CA certificates that are installed on an instance of Directory Proxy Server.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. List the CA certificates in the certificate database on the Directory Proxy Server instance.

   $ dpadm list-certs -C instance-path

   For example:

   $ dpadm list-certs -C /local/dps Alias Valid from Expires on Built-in Issued by Issued to ------ ---------- ---------------- --------- --------- --------- CAcert1 1999/06/21 06:00 2020/06/21 06:00 y CN=company1, O=company2 ...

Adding a Certificate From a Back-End LDAP Server to the Certificate Database on Directory Proxy Server

This section describes how to add a certificate from a back-end LDAP server to the certificate database on Directory Proxy Server.

To Add a Certificate From a Back-End Directory Server to the Certificate Database on Directory Proxy Server

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Display the certificate from the back-end Directory Server in PEM format by using this command syntax:

   dsadm show-cert -F ascii instance-path [cert-alias]

   If you do not specify a cert-alias, the default server certificate is displayed. For a description of all command options, see the dsadm(1M) man page.

   For example, show the default self-signed server certificate as follows:

   $ dsadm show-cert -F ascii /local/ds defaultCert -----BEGIN CERTIFICATE----- MIICJjCCAY+gAwIBAgIFAIKL36kwDQYJKoZIhvcNAQEEBQAwVzEZMBcGA1UEChMQ U3VuIE1pY3Jvc3lzdGVtczEZMBcGA1UEAxMQRGlyZWN0b3J5IFNlcnZlcjENMAsG A1UEAxMEMjAxMTEQMA4GA1UEAxMHY29uZHlsZTAeFw0wNjA1MjIxMTQxNTVaFw0w NjA4MjIxMTQxNTVaMFcxGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxGTAXBgNV BAMTEERpcmVjdG9yeSBTZXJ2ZXIxDTALBgNVBAMTBDIwMTExEDAOBgNVBAMTB2Nv bmR5bGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK9U3ry3sJmEzwQY8CGd 7S2MTZuBedo03Vea1lfDtD08WIsdDMzhHplTdeHAkWWNc8g2PDcEFXeWp9UXFMuD Pcia7t8HtFkm73VmlriWhMd8nn3l2vkxhsPK2LHFEeOIUDR9LBBiMiEeLkjdoEhE VLMSoYKqKI+Aa5grINdmtFzBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAF4eDbSd7 qy2l10dIogT+rnXZ362gLTlQFCblhbGpmmptbegUdL1ITGv/62q1isPV2rW7CkjM Cqb0fo3k5UkKKvW+JbMowpQeAPnlgpX612HuDr1tldnKV4eyU7gpG31t/cpACALQ 7OPi1A7oVb2Z8OJKfEJHkp3txBSsiI2gTkk= -----END CERTIFICATE-----

2. Save the certificate.

   Save your certificate in a text file, and back up the certificate in a safe location.

3. Add the certificate from the back-end LDAP server to the certificate database on an instance of Directory Proxy Server.

   $ dpadm add-cert instance-path cert-alias cert-file

   where cert-alias is the name of the certificate and cert-file is the name of the file containing the certificate.

   For example, you could add the certificate defaultCert as follows:

   $ dpadm add-cert /local/dps defaultCert /local/safeplace/defaultCert.ascii

Exporting a Certificate to a Back-End LDAP Server

Back-end LDAP servers might require a certificate from Directory Proxy Server. This section describes how to configure Directory Proxy Server to export a certificate to a back-end LDAP server.

To Configure Directory Proxy Server to Export a Client Certificate to a Back-End LDAP Server

1. Specify the certificate to be sent to the back-end LDAP server.

   $ dpconf set-server-prop -h host -p port ssl-client-cert-alias:cert-alias

   Where cert-alias is the name of the certificate. For a description of all command options, see the dpconf(1M) man page.

2. Copy the contents of the certificate to a file.

   $ dpadm show-cert -F ascii -o filename instance-path cert-alias

3. Add the certificate to the certificate database for the back-end LDAP server as described in To Add the CA-Signed Server Certificate and the Trusted CA Certificate.

Next Steps

Configure the back-end LDAP server for client authentication. For information about how to do this for Directory Server, see Configuring Credential Levels and Authentication Methods.

See Also

For information about configuring certificate-based authentication between clients and Directory Proxy Server, see To Configure Certificate-based Authentication.

Backing Up and Restoring a Certificate Database for Directory Proxy Server

Server certificates are backed up when you use dpadm to back up Directory Proxy Server. The backed up certificates are stored in the archive-path/alias directory.

For information about how to back up and restore Directory Proxy Server, see Backing Up and Restoring a Directory Proxy Server Instance.

Prompting for a Password to Access the Certificate Database

By default, the password for the certificate database is managed internally. Therefore, you do not need to type a certificate password or specify the password file. When the certificate database is managed internally through a stored password, the password is stored in a secure environment.

For more security and more control over certificates, configure Directory Proxy Server to prompt for a password on the command line. You are then prompted to enter the password for all dpadm subcommands except autostart, backup, disable-service, enable-service, info, restore, and stop.

For information about configuring Directory Proxy Server to prompt or not to prompt for passwords, see the following procedures.

To Prompt for a Password to Access the Certificate Database

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Stop the server.

   $ dpadm stop instance-path Directory Proxy Server instance 'instance-path' stopped

2. Set the password prompt flag to on, then type and confirm the certificate database password.

   $ dpadm set-flags instance-path cert-pwd-prompt=on Choose the certificate database password: Confirm the certificate database password:

3. Start the server, then type the certificate database password.

   $ dpadm start instance-path Enter the certificate database password:

To Disable the Password Prompt to Access the Certificate Database

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Stop the server.

   $ dpadm stop instance-path Directory Proxy Server instance 'instance-path' stopped

2. Set the password prompt flag to off, then type the existing password.

   $ dpadm set-flags instance-path cert-pwd-prompt=off Enter the old password:

3. Start the server.

   $ dpadm start instance-path