7.5. Configuring Server SSL Connections Between Red Hat Directory Server and Red Hat Certificate System

The CA, DRM, OCSP, TKS, and TPS all use a backend Red Hat Directory Server instance to store their certificate and configuration information. SSL connections can be configured between the Directory Server instance and the Certificate System subsystem instance by configuring SSL in the Directory Server and then enabling the Certificate System instance to use that connection.

NOTE

There are three parts to using SSL server connections with the Directory Server. The Directory Server must be configured before the Certificate System instance is configured. The next part imports the Directory Server's CA certificate into the new Certificate System database after installation but before configuration. The last part configures the Certificate System instance to connect to the Directory Server over SSL as part of the Certificate System setup.

7.5.1. Using an External CA to Issue Directory Server Certificates

When first setting up Certificate System, a local CA may not be available. An external CA or a CA in a different PKI environment can be used to issue the certificates that are used to enabled SSL on the Directory Server instance. In that case, the only configuration necessary on the Certificate System side is to trust the CA which issued the Directory Server certificates.

NOTE

The CA certificate for the external CA which issued the Directory Server's certificates must be imported into the security database for every subsystem instance which connects to that Directory Server.
  1. Configure the Red Hat Directory Server instance to run over SSL. This is described in detail in http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html.
    1. Obtain and install CA and server certificates for the Directory Server from the external authority. Each CA will have its own path for requesting and receiving certificates.
      When importing the CA certificate into the Directory Server security databases in the Directory Server Console, make sure to allow the CA certificate to be trusted for both client and server authentication.
    2. In the Directory Server Console, open the Configuration tab and the Encryption subtab. Check the Enable SSL checkbox and select all the ciphers and certificates to use.
    3. At the bottom of the window, select the Allow client authentication radio button. Do not require client authentication. Requiring client authentication will prevent the Certificate System server from connecting to the Directory Server instance.
    4. Restart the Directory Server instance.
      service dirsrv restart
  2. If necessary, export the Directory Server's CA certificate so it can be imported into the Certificate System security database. The CA certificate had to be imported into the Directory Server, so a copy should be available. If not, the CA certificate can be exported from the Directory Server Console or by using certutil.
    certutil -L -d /ldap/alias/directory -n "DS CA certificate" -A > cacert.crt
  3. Import that Directory Server's CA certificate into the Certificate System security database. Importing the CA certificate allows the Certificate System instance to connect to the Directory Server over the secure port during its setup process.
    # service instance_name stop
    
    # certutil -A -i cacert.crt -t "CT,C,C" -n "CA_cert_nickname" -a -d /var/lib/instance_name/alias
    
    # service instance_name start
  4. For the TPS only. After the CA is configured, and after the TPS is created but before it is configured, import the Directory Server's CA certificate into the TPS's security databases.
    # certutil -A -i cacert.crt -t "CT,C,C" -n "CA_cert_nickname" -a -d /var/lib/pki-tps/alias
  5. Begin the instance setup. When the wizard comes to the section to configure the LDAP instance to use, supply the SSL port for the Directory Server instance and select the SSL checkbox.
  6. Optional. Configure SSL client authentication between the Certificate System and LDAP server. This is done after the instance is set up and is covered in the section in the Certificate System Administrator's Guide for configuring the LDAP database.