10.5. Updating the TLS Certificates Used for Attribute Encryption
Attribute encryption is based on the TLS certificate. To prevent that attribute encryption fails after renewing or replacing the TLS certificate:
- Export the database with decrypted attributes. See Section 10.4.1, “Exporting an Encrypted Database”.
- Create a new Certificate Signing Request (CSR). See Section 9.3.1, “Creating a Certificate Signing Request”.
- Install the new certificate. See Section 9.3.4, “Installing a Server Certificate”.
- Stop the Directory Server instance:
# dsctl instance_name stop
- Edit the
/etc/dirsrv/slapd-instance_name/dse.ldif
file and remove the following entries including their attributes:cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
Important
Remove the entries for all databases. If any entry that contains thensSymmetricKey
attribute is left in the/etc/dirsrv/slapd-instance_name/dse.ldif
file, Directory Server will fail to start. - Import the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
- Start the instance:
# dsctl instance_name start