To Manually Populate a Directory Server with a Certificate Revocation List (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

To Manually Populate a Directory Server with a Certificate Revocation List

Use your browser to get the initial CRL from the certificate authority manually.

Save the initial CRL file in the binary DER format to your local machine.

Convert the DER file to the text-based PEM format and finally LDAP Data Interchange Format (LDIF) using the following command:

ldif -b certificaterevocationlist;binary crl.ldif

Note –

The ldif command is available in your Directory Server installation.

The crl.ldif file contains text similar to the following:

certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
  YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE
  tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz
  UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK
  GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0

Do one of the following to define the LDAP entry in which the CRL will be stored.

For an existing entry, specify the DN in the LDIF file.

# entry-id: famouseCA dn: CN=famouseCA,ou=People,dc=sun,dc=com 
certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
  YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE
  tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz
  UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK
  GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0

For a new entry, specify the DN and object classes in the LDIF file.

# entry-id: tester200
dn: CN=famouseCA,ou=People,dc=sun,dc=com
sn: famouseCA
cn: famouseCA
employeeNumber: 1001
telephoneNumber: 555-555-5555
postalAddress: 555 Test Drive
iplanet-am-modifiable-by: cn=Top-level Admin Role,dc=iplanet,dc=com
mail: famouseCA@test.com
givenName: Test
inetUserStatus: Active
uid: tester200
objectClass: iplanet-am-user-service
objectClass: inetAdmin
objectClass: iPlanetPreferences
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: iplanet-am-managed-person
objectClass: inetuser
objectClass: top
userPassword: {SSHA}E3TJ4DT7IoOLETVny1ktxUGWNTpBYq8tj3C1Sg==
creatorsName: cn=puser,ou=dsame users,dc=iplanet,dc=com
modifiersName: cn=puser,ou=dsame users,dc=iplanet,dc=com
createTimestamp: 20031125043253Z
modifyTimestamp: 20031125043253Z
certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
  YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE
  tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz
  UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK
  GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0G8=

Run one of the following ldapmodify commands based on whether you are adding the LDIF file to an existing entry or creating a new entry.
- To add a CRL to an existing LDAP entry (using an LDIF file with a specified DN), use the following command:
```
ldapmodify -r -h Directory Server_host -p Directory Server_port 
-f ldif-file -D cn=Directory Manager -w password
```
- To add a CRL to a new LDAP entry (using an LDIF file with a specified DN and object classes), use the following command:
```
ldapmodify -a -h Directory Server_host -p Directory Server_port 
-f ldif-file -D cn=Directory Manager -w password
```