增加 CA 簽署的伺服器憑證與可信任的 CA 憑證

此程序說明如何安裝用於目錄伺服器之 CA 簽署的伺服器憑證與可信任的 CA 憑證。

您可以使用 DSCC 執行此作業。如需有關資訊，請參閱目錄服務控制中心介面與 DSCC 線上說明。

1. 增加 CA 簽署的伺服器憑證。

   $ dsadm add-cert instance-path cert-alias cert-file

   其中 cert-alias 是提供用以識別憑證的名稱，而 cert-file 是文字檔，內含 PEM 格式的 PKCS #11 憑證。

   例如，若要安裝 CA 簽署的伺服器憑證，可以使用如下的指令：

   $ dsadm add-cert /local/ds server-cert /local/safeplace/serv-cert-file

   憑證此時已完成安裝，但尚未受信任。若要信任 CA 簽署的伺服器憑證，必須安裝憑證授權機構的憑證。

2. 增加可信任的憑證授權機構憑證。

   $ dsadm add-cert -C instance-path cert-alias cert-file

   -C 選項指出此憑證為可信任的憑證授權機構憑證。

   例如，若要安裝憑證授權機構所提供之可信任的憑證，必須使用此指令：

   $ dsadm add-cert -C /local/ds CA-cert /local/safeplace/ca-cert-file

3. (可選擇) 驗證所安裝的憑證。

   • 若要列出所有伺服器憑證並顯示其有效日期與別名，請鍵入：

     $ dsadm list-certs instance-path

     例如：

     $ dsadm list-certs /local/ds1 Enter the certificate database password: Alias Valid from Expires on Self- Issued by Issued to signed? ----------- ---------- ---------- ------- ----------------- ----------------- serverCert 2000/11/10 2011/02/10 n CN=CA-Signed Cert, CN=Test Cert, 18:13 18:13 OU=CA,O=com dc=example,dc=com defaultCert 2006/05/18 2006/08/18 y CN=host1,CN=DS, Same as issuer 16:28 16:28 dc=example,dc=com 2 certificates found

     目錄代理伺服器的實例預設會包含名為 defaultCert 的預設伺服器憑證。Same as issuer 表示預設憑證為自行簽署的伺服器憑證。

   • 若要列出可信任的 CA 憑證，請鍵入：

     $ dsadm list-certs -C instance-path

     例如：

     $ dsadm list-certs -C /local/ds1 Enter the certificate database password: Alias Valid from Expires on Self- Issued by Issued to signed? ------- ---------- ---------- ------- ----------------- ----------------- CA-cert 2000/11/10 2011/02/10 y CN=Trusted CA Cert, Same as issuer 18:12 18:12 OU=CA,O=com 1 certificate found

   • 若要檢視憑證的詳細資訊 (包括憑證過期日)，請鍵入：

     $ dsadm show-cert instance-path cert-alias

     例如，若要檢視伺服器憑證，請鍵入：

     $ dsadm show-cert /local/ds1 "Server-Cert" Enter the certificate database password: Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: "CN=Server-Cert,O=Sun,C=US" Validity: Not Before: Fri Nov 10 18:12:20 2000 Not After : Thu Feb 10 18:12:20 2011 Subject: "CN=CA Server Cert,OU=ICNC,O=Sun,C=FR" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: bd:76:fc:29:ca:06:45:df:cd:1b:f1:ce:bb:cc:3a:f7: 77:63:5a:82:69:56:5f:3d:3a:1c:02:98:72:44:36:e4: 68:8c:22:2b:f0:a2:cb:15:7a:c4:c6:44:0d:97:2d:13: b7:e3:bf:4e:be:b5:6a:df:ce:c4:c3:a4:8a:1d:fa:cf: 99:dc:4a:17:61:e0:37:2b:7f:90:cb:31:02:97:e4:30: 93:5d:91:f7:ef:b0:5a:c7:d4:de:d8:0e:b8:06:06:23: ed:5f:33:f3:f8:7e:09:c5:de:a5:32:2a:1b:6a:75:c5: 0b:e3:a5:f2:7a:df:3e:3d:93:bf:ca:1f:d9:8d:24:ed Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 85:92:42:1e:e3:04:4d:e5:a8:79:12:7d:72:c0:bf:45: ea:c8:f8:af:f5:95:f0:f5:83:23:15:0b:02:73:82:24: 3d:de:1e:95:04:fb:b5:08:17:04:1c:9d:9c:9b:bd:c7: e6:57:6c:64:38:8b:df:a2:67:f0:39:f9:70:e9:07:1f: 33:48:ea:2c:18:1d:f0:30:d8:ca:e1:29:ec:be:a3:43: 6f:df:03:d5:43:94:8f:ec:ea:9a:02:82:99:5a:54:c9: e4:1f:8c:ae:e2:e8:3d:50:20:46:e2:c8:44:a6:32:4e: 51:48:15:d6:44:8c:e6:d2:0d:5f:77:9b:62:80:1e:30 Fingerprint (MD5): D9:FB:74:9F:C3:EC:5A:89:8F:2C:37:47:2F:1B:D8:8F Fingerprint (SHA1): 2E:CA:B8:BE:B6:A0:8C:84:0D:62:57:85:C6:73:14:DE:67:4E:09:56 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: User Object Signing Flags: User