9.3. Managing the NSS Database Used by Directory Server
9.3.1. Creating the NSS Database for a Directory Server Instance
/etc/dirsrv/slapd-instance_name/
directory. Before you can manage the certificates, you must create the database.
Note
9.3.1.1. Creating the NSS Database Using the Command Line
- Create the NSS database and set a password:
# certutil -d /etc/dirsrv/slapd-instance_name/ -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:
- Set the permissions:
# chown dirsrv:dirsrv /etc/dirsrv/slapd-instance_name/*.db # chown dirsrv:dirsrv /etc/dirsrv/slapd-instance_name/pkcs11.txt # chmod 600 /etc/dirsrv/slapd-instance_name/*.db # chmod 600 /etc/dirsrv/slapd-instance_name/pkcs11.txt
9.3.1.2. Creating the NSS Database Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates, and set a password to protect the database.
9.3.2. Creating a Certificate Signing Request
9.3.2.1. Creating a Certificate Signing Request Using the Command Line
certutil
utility:
# certutil -d instance_directory -R -g key_size -a \ -o output_file -8 FQDN -s "certificate_subject"
Example 9.1. Creating a Private Key and CSR for a Single Host Name
server.example.com
host and stores the CSR in the /root/instance_name.csr
file:
# certutil -d /etc/dirsrv/slapd-instance_name/ -R -g 4096 -a \ -o /root/instance_name.csr -8 server.example.com \ -s "CN=server.example.com,O=example_organization,OU=IT,ST=North Carolina,C=US"
-8 server.example.com
option adds the subject alternative name (SAN) extension with the DNS:server.example.com
entry to the CSR. The string specified in the -s
parameter must be a valid subject name according to RFC 1485. The CN
field is required, and you must set it to the Fully Qualified Domain Name (FQDN) of the server. The other fields are optional.
Example 9.2. Creating a Private Key and CSR for a Multi-homed Host
server.example.com
and server.example.net
host names. The command stores the CSR in the /root/instance_name.csr
file.
# certutil -d /etc/dirsrv/slapd-instance_name/ -R -g 4096 -a \ -o /root/instance_name.csr -8 server.example.com,server.example.net \ -s "CN=server.example.com,O=example_organization,OU=IT,ST=North Carolina,C=US"
-8 server.example.com,server.example.net
option adds the SAN extension with the DNS:server.example.com, DNS:server.example.net
entries to the CSR. The string specified in the -s
parameter must be a valid subject name according to RFC 1485. The CN
field is required, and you must set it to one of the FQDNs of the server. The other fields are optional.
certutil
and extended usage information, see the certutil(1) man page.
9.3.2.2. Creating a Certificate Signing Request Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- On the Server Certs tab, click the button.
- Select if you want to request the certificate manually or from one of the displayed CAs and click.
- Enter the requested information and click.
Important
Enter the Fully-qualified Domain Name (FQDN) of the server into the Server name field. - Select the key size and signing algorithm. Click.For security reasons:
- an RSA key size of
2048
bits or higher - a strong signing algorithm, such as
SHA-256
or higher
- Enter the password of the Network Security Services (NSS) database and click Done.If you use an Hardware Security Module (HSM) to store the certificates, the device is plugged in, and the module has been installed as described in Section 9.7, “Using Hardware Security Modules”, then the module is available in the Active Encryption Token menu.
- Copy the CSR to the clipboard or save it into a file.
- Click.
9.3.3. Installing a CA Certificate
Table 9.1. CA Trust Options
Console Option | certutil Option | Description |
---|---|---|
Accepting connections from clients (Client Authentication) | T,, | The server trusts this CA certificate for issuing client certificates suitable for TLS EXTERNAL binds. |
Accepting connections to other servers (Server Authentication) | C,, | The server verifies that certificates, used to establish an encrypted connection to a replication partner, have been issued by a trusted CA. |
certutil
, pass the -T "CT,,"
parameter to the utility.
9.3.3.1. Installing a CA Certificate Using the Command Line
certutil
utility. For example, to import the CA certificate stored in the /etc/pki/CA/nss/ca.crt
file:
# certutil -d /etc/dirsrv/slapd-instance_name/ -A -n "certificate_nickname" \ -t "C,," -i /etc/pki/CA/nss/ca.crt
-t trust_options
parameter sets which certificates issued by the CA should be trusted. See Table 9.1, “CA Trust Options”.
9.3.3.2. Installing a CA Certificate Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- Select the CA Certs tab and click the button.
- Either select the file that contains the server certificate or paste the certificate into the field. Click.
- Verify the certificate details and click.
- Verify the certificate nickname and click.
- Set which certificates issued by the CA should be trusted. You can select one or both of the options. See Table 9.1, “CA Trust Options”.
9.3.4. Installing a Certificate
9.3.4.1. Installing a Server Certificate Using the Command Line
certutil
utility. For example:
- Install the CA certificate. See Section 9.3.3, “Installing a CA Certificate”.
- Import the certificate. For example to import the certificate stored in the
/root/instance_name.crt
file:# certutil -d /etc/dirsrv/slapd-instance_name/ -A \ -n "server-cert" -t ",," -a -i /root/instance_name.crt
- Optionally, verify the certificate:
# certutil -d /etc/dirsrv/slapd-instance_name/ -V -n "server-cert" -u V
certutil
commands, see the certutil(1) man page.
9.3.4.2. Installing a Certificate Using the Console
- Install the CA certificate. See Section 9.3.3, “Installing a CA Certificate”.
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- Click thebutton.
- Select the file that contains the server certificate or, alternatively, paste the certificate into the field. Click.
- Verify the certificate details and click.
- Set a certificate nickname and click.
Note
The Directory Server Console does not support installing a certificate that uses the same nickname as an existing one. To work around the problem, install the certificate using the command line. See Section 9.3.4.1, “Installing a Server Certificate Using the Command Line”. - Enter the password of the NSS database and click.
9.3.5. Generating and Installing a Self-signed Certificate
Note
- Verify if the Network Security Services (NSS) database is already initialized:
# certutil -d /etc/dirsrv/slapd-instance_name -L
If the command fails, initalize the database. For details, see Section 9.3.1, “Creating the NSS Database for a Directory Server Instance”. - Generate a noise file with random data. For example, to generate a file with a size of 4096 bits:
# openssl rand -out /tmp/noise.bin 4096
- Create the self-signed certificate and add it to the NSS database:
# certutil -S -x -d /etc/dirsrv/slapd-instance_name/ -z /tmp/noise.bin \ -n "server-cert" -s "CN=$HOSTNAME" -t "CT,C,C" -m $RANDOM \ --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
Red Hat Enterprise Linux automatically replaces the$HOSTNAME
variable with the Fully Qualified Domain Name (FQDN) and$RANDOM
with a randomly-generated number. For further details about the parameters used in the previous commands, see the certutil(1) man page. - Optionally, verify that the generated certificate is self-signed:
# certutil -L -d /etc/dirsrv/slapd-instance_name/ -n "server-cert" | egrep "Issuer|Subject" Issuer: "CN=server.example.com" Subject: "CN=server.example.com"
The output of this command must display the FQDN of the Directory Server host for both the issuer and subject of the certificate.
9.3.6. Renewing a Certificate
9.3.6.1. Renewing a Certificate Using the Command Line
- Create a new Certificate Signing Request (CSR) with the same options, such as key size, host name, and subject. For details about creating a CSR, see Section 9.3.2.1, “Creating a Certificate Signing Request Using the Command Line”
- After you received the issued certificate from your CA, install it in the database using the same nickname. See Section 9.3.3.1, “Installing a CA Certificate Using the Command Line”.
9.3.6.2. Renewing a Certificate Using the Console
9.3.7. Removing a Certificate
9.3.7.1. Removing a Certificate Using the Command Line
- Remove the private key. See Section 9.3.8, “Removing a Private Key”.
- Optionally, display the certificates in the database:
# certutil -d /etc/dirsrv/slapd-instance_name/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Example CA CT,, server-cert u,u,u
- Remove the certificate. For example, to remove the certificate with the server-cert nickname:
# certutil -d /etc/dirsrv/slapd-instance_name/ -D -n "server-cert"
9.3.7.2. Removing a Certificate Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- On the Server Certs tab, select the certificate and click the button.
- Clickto confirm.
9.3.8. Removing a Private Key
Warning
9.3.8.1. Removing a Private Key Using the Command Line
- Remove all certificates based on the key you want to delete. See Section 9.3.7, “Removing a Certificate”.
- Optionally, display the keys in the database:
# certutil -d /etc/dirsrv/slapd-instance_name/ -K certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 7a2fb6c269d83c4036eac7e4edb6aaf2ed08bc4a server-cert < 1> rsa 662b826aa3dd4ca7fd7e6883558cf3866c42f4e2 example-cert
- Remove the private key. For example, to remove the private key with the example-cert nickname:
# certutil -d /etc/dirsrv/slapd-instance_name/ -F -n "example-cert"
9.3.8.2. Removing a Private Key Using the Console
9.3.9. Changing the CA Trust Options
9.3.9.1. Changing the CA Trust Options Using the Command Line
-t
parameter to the certutil
utility.
example-CA
:
# certutil -d /etc/dirsrv/slapd-instance_name/ -M -t "T,," -n "example-CA"
-t trust_options
parameter sets which certificates issued by the CA should be trusted. See Table 9.1, “CA Trust Options”.
9.3.9.2. Changing the CA Trust Options Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- Select the CA Certs tab.
- Select the CA to edit, click the Table 9.1, “CA Trust Options”.button, and set which certificates issued by the CA should be trusted. You can select one or both of the options. See
9.3.10. Changing the Password of the NSS Database
Important
9.3.10.1. Changing the Password of the NSS Database Using the Command Line
# certutil -d /etc/dirsrv/slapd-instance_name -W Enter Password or Pin for "NSS Certificate DB": Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: Password changed successfully.
9.3.10.2. Changing the Password of the NSS Database Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- Click the Change Password button.
- Enter the current and the new password and click
9.3.11. Adding a Certificate Revocation List
9.3.11.1. Adding a Certificate Revocation List Using the Command Line
certutil
, pass the -4 URL_to_CRL_file
parameter to the utility when you install the CA certificate.
9.3.11.2. Adding a Certificate Revocation List Using the Console
- Open the Directory Server Console.
- On the Tasks tab, click Manage Certificates.
- Select the Revoked Certs tab and click the button.
- Enter the path to the file, select the list format, and click.