7.5.2. Using Temporary Self-Signed Directory Server Certificates

When first setting up Certificate System, a local CA may not be available. The Directory Server can be initially configured to use SSL based on temporary self-signed certificates which are generated using certutil. Once a new Certificate System CA is fully setup and configured, the Directory Server can then request permanent SSL certificates from the CA. The Directory Server instance and the CA must then be reconfigured to use the new, permanent certificates.

NOTE

The CA certificate for the external CA which issued the Directory Server's certificates only needs to be imported into the security database for the first CA configured. Once the temporary certificates are replaced by the ones issued by the Certificate System CA, every subsystem instance in the security domain will automatically trust the Directory Server because they will already trust the issuing Certificate System CA.
  1. Configure the Red Hat Directory Server instance to run over SSL. This is described in detail in the SSL configuration chapter in the Directory Server 8.2 Administrator's Guide.
    1. Open the Directory Server instance's security directory.
      cd /etc/dirsrv/slapd-instance
      The Directory Server instance should have its security databases already set up in the /etc/dirsrv/slapd-instance directory. If these databases are missing for some reason, they can be created using the certutil command.
      certutil -N -d .
    2. Generate temporary self-signed certificates for the Directory Server using certutil. For example:
      certutil -S -n "Temporary CA certificate" -s "cn=Temporary CA cert,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa
      
      certutil -S -n "Server-Cert" -s "cn=ldap.example.com" -c "Temporary CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa
    3. Import the temporary server and CA certificates into the Directory Server using the Directory Server Console. When importing the CA certificate into the Directory Server security databases in the Directory Server Console, make sure to allow the CA certificate to be trusted for both client and server authentication.
    4. In the Directory Server Console, open the Configuration tab and the Encryption subtab. Check the Enable SSL checkbox and select all the ciphers and certificates to use. The only server certificate listed should be the temporary server certificate, Server-Cert.
    5. At the bottom of the window, select the Allow client authentication radio button. Do not require client authentication. Requiring client authentication will prevent the Certificate System server from connecting to the Directory Server instance.
    6. Restart the Directory Server instance.
      service dirsrv restart
  2. Export that Directory Server's temporary CA certificate from its security database.
    certutil -L -d /ldap/alias/directory -n "Temporary CA certificate" -A > tempcacert.crt
  3. Import that Directory Server's temporary CA certificate into the Certificate System security database. Importing the CA certificate allows the Certificate System instance to connect to the Directory Server over the secure port during its setup process.
    # service instance_name stop
    
    # certutil -A -i tempcacert.crt -t "CT,C,C" -n "Temporary CA certificate" -a -d /var/lib/instance_name/alias
    
    # service instance_name start
  4. Begin the CA instance setup. When the wizard comes to the section to configure the LDAP instance to use, supply the SSL port for the Directory Server instance and select the SSL checkbox.
  5. Once the CA is configured, it can be used to issue new certificates to the Directory Server instance.
    1. Generate a new certificate request for the Directory Server. This must have the same certificate nickname as the original, temporary certificate.
      A certificate request can be generated in the Directory Server Console or using certutil. For example:
      certutil -R -n "Server-Cert" -s "cn=ldap.example.com" -d /ldap/alias/directory -a
    2. Submit the generated certificate request through the CA's end-entities forms:
      https://server.example.com:9444/ca/ee/ca
    3. Log into the CA's agent forms as an agent, and approve the request. The process of approving certificates is covered in the Agent's Guide.
    4. When the request is approved, the agent form returns the base 64-encoded version of the new certificate. Copy and save this certificate, including the header and footer lines, to a file.
    5. Export the CA certificate so that it can be imported into the Directory Server.
      certutil -L -d /var/lib/pki-ca/alias -n "CA certificate" -A > cacert.crt
    6. Stop the Directory Server.
      service dirsrv stop
    7. Stop the CA.
      service pki-ca stop
    8. Delete the temporary Server-Cert SSL certificate from the Directory Server's security database:
      certutil -D -d /ldap/alias/directory -n "Server-Cert"
    9. Delete the temporary CA certificate from the Directory Server's security database:
      certutil -D -d /ldap/alias/directory -n "Temporary CA certificate"
    10. Import the new, permanent Server-Cert SSL certificate into the Directory Server's security database:
      certutil -A -i ldap-server.crt -t "u,u,u" -d /ldap/alias/directory -n "Server-Cert"
    11. Import the new, permanent CA signing certificate into the Directory Server's security database:
      certutil -A -i casigning-b64.crt -t "CT,C,C" -d /ldap/alias/directory -n "caSigningCert cert-pki-ca"
    12. Start the Directory Server.
      service dirsrv start
    13. Start the CA.
      service pki-ca start
  6. For the TPS only. After the CA is configured, and after the TPS is created but before it is configured, import the Directory Server's CA certificate into the TPS's security databases. The TPS instance must be stopped before the certificates can be imported.
    # service pki-tps stop
    
    # certutil -A -i cacert.crt -t "CT,C,C" -n "CA_cert_nickname" -a -d /var/lib/pki-tps/alias
    
    # service pki-tps start
  7. Optional. Configure SSL client authentication between each Certificate System subsystem instance and the LDAP server. This is done after the instance is set up and is covered in the section in the Certificate System Administrator's Guide for configuring the LDAP database.