10.5. Updating the TLS Certificates Used for Attribute Encryption
- Export the database with decrypted attributes. See Section 10.4.1, “Exporting an Encrypted Database”.
- Delete the existing private key and certificate from the Network Security Services (NSS) database. See Section 9.3.8, “Removing a Private Key”
- Create a new Certificate Signing Request (CSR). See Section 9.3.1, “Creating a Certificate Signing Request”.
- Install the new certificate. See Section 9.3.4, “Installing a Server Certificate”.
- Stop the Directory Server instance:
# dsctl instance_name stop
- Edit the
/etc/dirsrv/slapd-instance_name/dse.ldiffile and remove the following entries including their attributes:
cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
ImportantRemove the entries for all databases. If any entry that contains the
nsSymmetricKeyattribute is left in the
/etc/dirsrv/slapd-instance_name/dse.ldiffile, Directory Server will fail to start.
- Import the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
- Start the instance:
# dsctl instance_name start