Sun Java System SAML v2 Plug-in for Federation Services User's Guide

ProcedureTo Manually Populate a Directory Server with a Certificate Revocation List

  1. Use your browser to get the initial CRL from the certificate authority manually.

  2. Save the initial CRL file in the binary DER format to your local machine.

  3. Convert the DER file to the text-based PEM format and finally LDAP Data Interchange Format (LDIF) using the following command:

    ldif -b certificaterevocationlist;binary < famouseCA.crl > crl.ldif

    Note –

    The ldif command is available in your Directory Server installation.

    The crl.ldif file contains text similar to the following:

    certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
  4. Do one of the following to define the LDAP entry in which the CRL will be stored.

    • For an existing entry, specify the DN in the LDIF file.

      # entry-id: famouseCA dn: CN=famouseCA,ou=People,dc=sun,dc=com 
      certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
    • For a new entry, specify the DN and object classes in the LDIF file.

      # entry-id: tester200
      dn: CN=famouseCA,ou=People,dc=sun,dc=com
      sn: famouseCA
      cn: famouseCA
      employeeNumber: 1001
      telephoneNumber: 555-555-5555
      postalAddress: 555 Test Drive
      iplanet-am-modifiable-by: cn=Top-level Admin Role,dc=iplanet,dc=com
      givenName: Test
      inetUserStatus: Active
      uid: tester200
      objectClass: iplanet-am-user-service
      objectClass: inetAdmin
      objectClass: iPlanetPreferences
      objectClass: inetOrgPerson
      objectClass: organizationalPerson
      objectClass: person
      objectClass: iplanet-am-managed-person
      objectClass: inetuser
      objectClass: top
      userPassword: {SSHA}E3TJ4DT7IoOLETVny1ktxUGWNTpBYq8tj3C1Sg==
      creatorsName: cn=puser,ou=dsame users,dc=iplanet,dc=com
      modifiersName: cn=puser,ou=dsame users,dc=iplanet,dc=com
      createTimestamp: 20031125043253Z
      modifyTimestamp: 20031125043253Z
      certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
  5. Run one of the following ldapmodify commands based on whether you are adding the LDIF file to an existing entry or creating a new entry.

    • To add a CRL to an existing LDAP entry (using an LDIF file with a specified DN), use the following command:

      ldapmodify -r -h Directory Server_host -p Directory Server_port 
      -f ldif-file -D cn=Directory Manager -w password
    • To add a CRL to a new LDAP entry (using an LDIF file with a specified DN and object classes), use the following command:

      ldapmodify -a -h Directory Server_host -p Directory Server_port 
      -f ldif-file -D cn=Directory Manager -w password