10.8. Updating the TLS Certificates Used for Attribute Encryption

Attribute encryption is based on the TLS certificate. To prevent that attribute encryption fails after renewing or replacing the TLS certificate:
  1. Export the database with decrypted attributes. See Section 10.7.1, “Exporting an Encrypted Database”.
  2. Delete the existing private key and certificate from the Network Security Services (NSS) database. See Section 9.3.8, “Removing a Private Key”
  3. Create a new Certificate Signing Request (CSR). See Section 9.3.2, “Creating a Certificate Signing Request”.
  4. Install the new certificate. See Section 9.3.4, “Installing a Certificate”.
  5. Stop the Directory Server instance:
    # systemctl stop dirsrv@instance_name
  6. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file and remove the following entries including their attributes:
    • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config

    Important

    Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server will fail to start.
  7. Start the instance:
    # systemctl start dirsrv@instance_name