You should already have a root certificate from the CA of your choice. Send any server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.
Log in to the ds2.sp-example.com host machine as a root user.
Generate a request for a server certificate signed by a CA.
# cd /var/opt/mps/serverroot/ds6/bin # ./dsadm request-cert -S "CN=ds2.sp-example.com, OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara ST=California, C=US" -F ascii -o ds-2.csr /var/opt/mps/sp-users |
ds-2.csr is the certificate request.
Send ds-2.csr to the CA of your choice.
The CA issues and returns a certified server certificate named ds-2.cer.
Add ds-2.cer, the CA-signed server certificate, to the certificate store.
# ./dsadm add-cert /var/opt/mps/sp-users server-cert ds-2.cer |
Add ca.cer, the CA root certificate, to the certificate store.
# ./dsadm add-cert --ca /var/opt/mps/sp-users opensslCA ca.cer |
(Optional) Verify that the CA root certificate was successfully added.
# ./dsadm list-certs -C /var/opt/mps/sp-users | grep opensslCA opensslCA 2008/02/06 00:00 2017/02/06 00:00 n CN=Certificate Manager,OU=opensso,O=Identity,C=us Same as issuer |
Configure the Directory Server instance to use the imported certificates.
# ./dsconf set-server-prop -h ds2.sp-example.com -p 1489 ssl-rsa-cert-name:server-cert Enter "cn=Directory Manager" password: dsmanager Before setting SSL configuration, export Directory Server data. Do you want to continue [y/n] ? y Directory Server must be restarted for changes to take effect. |
Restart the Directory Server instance.
Directory Server needs to be restarted to use the new certificates.
# ./dsadm stop /var/opt/mps/sp-users Directory Server instance '/var/opt/mps/sp-users' stopped # ./dsadm start /var/opt/mps/sp-users Directory Server instance '/var/opt/mps/sp-users' started: pid=7311 |
Run ldapsearch on Directory Server 2 to verify that the directory entries can be accessed through the secure port.
# cd /var/opt/mps/serverroot/dsrk6/bin # ./ldapsearch -h ds2.sp-example.com -p 1736 -Z -P /var/opt/mps/sp-users/alias/slapd-cert8.db -b "" -s base "(objectclass=*)" version: 1 dn: objectClass:top namingContexts: o=spusers.com supportedExtension: 2.16.840.1.113730.3.5.7 : supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5 supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5 |
This confirms that the Directory Server instance can be accessed through the secure port.
Log out of the ds2.sp-example.com host machine.