Sun Java System Directory Server Enterprise Edition 6.3 Troubleshooting Guide

Verifying the Certificates Using certutil on Directory Server 5.x

If you are using migrated 5.x instances of Directory Server, you can verify the contents of the certificates database using the output of the Certificate Database Tool, or certutil. The certutil tool displays the contents of the certificate and key database files. For more information about this tool, go to http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.


Note –

The certutil tool can be used by advanced users to populate the certificate database.


For example, run the certutil tool as follows:


# ./certutil -L -d /opt/SUNWdsee/alias -P slapd-

Test (SUBCA1) Internal CA    CT,C,C
Test (CMSENG) Internal CA    CT,C,C
ESD SubCA1 Certificate       u,,

The tool lists the certificates, such as Test (SUBCA2) Internal CA. and the trust flags associated with each certificates, such as CT,C,C. Very that the SSL server certificates are generated by a certificate authority that has a C,, flag. Verify that SSL client certificates are generated by a certificate authority with a T,, flag.

For example, you might have a certificate that works only as an SSL client, but you were trying to use it as a SSL server, which would not work. In replication, all Directory Server replicas need to have certificates signed by CT,, because they act as suppliers and consumers. Change the certificate trust flags to CT,, as follows:


# ./certutil -M -n cert-name -t CT,, -d /opt/SUNWdsee/alias -P slapd-

You can also run the certutil tool using the following options, to see the certificate authority that issued the certificate.


# ./certutil -L -n server-cert -d /opt/SUNWdsee/alias -P slapd-

Use this information to confirm that the certificate is present in the certificate database. You can also check the expiration date of the certificate to make sure that it has not expired.