Creating, Requesting and Installing Certificates for Directory Proxy Server
To run the Secure Sockets Layer (SSL) on Directory Proxy Server, you must either use a self-signed certificate or a Public Key Infrastructure (PKI) solution.
The PKI solution involves an external Certificate Authority (CA). For a PKI solution you need a CA-signed server certificate, which contains both a public key and a private key. This certificate is specific to one Directory Proxy Server instance. You also need a trusted CA certificate, which contains a public key. The trusted CA certificate ensures that all server certificates from your CA are trusted. This certificate is sometimes called a CA root key or root certificate.
For information about how to create a non-default self-signed certificate and to request and install a CA-signed certificate, see the following procedures.
To Create a Non-default Self-Signed Certificate for Directory Proxy Server
When you create a Directory Proxy Server instance, a default self-signed certificate is automatically provided. If you want to create a self-signed certificate with non-default settings, use this procedure.
The procedure creates the public and private key pair for a server certificate, where the public key is signed by Directory Proxy Server. A self-signed certificate is valid for three months.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
-
To create a non-default self-signed certificate for Directory Proxy Server, type:
$ dpadm add-selfsign-cert instance-path cert-alias
where cert-alias is the name of the self-signed certificate.
For example, you could create a certificate called my-self-signed-cert as follows:
$ dpadm add-selfsign-cert /local/dps my-self-signed-cert
For a description of all command options, see the dpadm(1M) man page or type dpadm add-selfsign-cert --help at the command line.
To Request a CA-Signed Certificate for Directory Proxy Server
Self-signed certificates are useful for test purposes. However, in a production environment, using trusted Certificate Authority (CA) certificates is more secure.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
-
Request a CA-signed server certificate.
$ dpadm request-cert instance-path cert-alias
where cert-alias is the name of the certificate that you are requesting. Certificate Authorities might require all of the options of the command to identify the server. For a description of all command options, see the dpadm(1M) man page.
The process for obtaining a CA certificate depends on the CA that you use. Some commercial CAs provide a web site that allows you to download the certificate. Other CAs will send the certificate to you in email.
For example, you could request a certificate called my-CA-signed-cert as follows:
$ dpadm request-cert -S cn=my-request,o=test /local/dps my-CA-signed-cert -----BEGIN NEW CERTIFICATE REQUEST----- MIIBYDCBygIBADAhMQ0wCwYDVQQDEwRnZXJpMRAwDgYDVQQDEwdteWNlcnQ0MIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQC3v9ubG468wnjBDAMbRrEkmFDTQzT+LO30D/ALLXOiElVsHrtRyWhJ PG9cURI9uwqs15crxCpJvho1kt3SB9+yMB8Ql+CKnCQDHlNAfnn30MjFHShv/sAuEygFsN+Ekci5 W1jySYE2rzE0qKVxWLSILFo1UFRVRsUnORTX/Nas7QIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA fcQMnZNLpPobiX1xy1ROefPOhksVz8didY8Q2fjjaHG5lajMsqOROzubsuQ9Xh4ohT8kIA6xcBNZ g8FRNIRAHCtDXKOdOm3CpJ8da+YGI/ttSawIeNAKU1DApF9zMb7c2lS4yEfWmreoQdXIC9YeKtF6 zwbn2EmIpjHzETtS5Nk= -----END NEW CERTIFICATE REQUEST-----
When you request a certificate by using the dpadm request-cert command, the certificate request is a PKCS #10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is the format specified by RFCs 1421 through 1424. For more information, see http://www.ietf.org/rfc/rfc1421.txt. The PEM format represents a base64-encoded certificate request in ASCII format.
When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.
-
Send the certificate request to the CA, according to its procedures.
After you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, the response time can be short. However, if the CA is external to your company, the CA can take several weeks to respond to your request.
-
Save the certificate that you receive from the CA.
Save your certificate in a text file, and back up the certificate in a safe location.
To Install a CA-Signed Server Certificate for Directory Proxy Server
To trust the CA-signed server certificate, you must install the certificate on a Directory Proxy Server instance. This procedure installs the public key of a CA certificate to the certificate database on Directory Proxy Server.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
-
See if the trusted CA certificate for this CA is already installed.
To do this, list all installed CA certificates, as described in To List CA Certificates.
-
If the trusted CA certificate is not installed, add it to the certificate database on the Directory Proxy Server instance.
$ dpadm add-cert instance-path cert-alias cert-file
where cert-alias is the name of the trusted CA certificate and cert-file is the name of the file containing the trusted CA certificate.
-
Install the CA-signed server certificate to the certificate database.
$ dpadm add-cert instance-path cert-alias cert-file
Where cert-alias is the name of the CA-signed server certificate and cert-file is the name of the file containing the CA-signed server certificate. Note that this cert-alias must be the same as the cert-alias used in the certificate request
For example, you can add a CA-signed server certificate named CA-cert to the certificate database on/local/dps as follows:
$ dpadm add-cert /local/dps CA-cert /local/safeplace/ca-cert-file.ascii
- © 2010, Oracle Corporation and/or its affiliates