Menu Close
Settings Close

Language and Page Formatting Options

Chapter 5. Changing the CA trust flags

The certificate authority (CA) trust flags define for which scenarios Directory Server trusts a CA certificate. For example, you set the flags to trust the certificate for TLS connections to the server and for certificate-based authentication.

5.1. Changing the CA trust flags using the command line

You can set the following trust flags on a certificate authority (CA) certificate:

  • C: Trusted CA
  • T: Trusted CA client authentication
  • c: Valid CA
  • P: Trusted peer
  • p: Valid peer
  • u: Private key

You specify the trust flags comma-separated in three categories: TLS, email, object signing

For example, to trust the CA for TLS encryption and certificate-based authentication, set the trust flags to CT,,.

Prerequisites

  • You imported a CA certificate to the network security services (NSS) database.

Procedure

  1. Use the following command to change the trust flags of a CA certificate:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate set-trust-flags "Example CA" --flags "trust_flags"

Verification

  • Display all certificates in the NSS database:

    # certutil -d /etc/dirsrv/slapd-instance_name/ -L
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    Example CA                                                   CT,,

Additional resources

  • The certutil(1) man page

5.2. Changing the CA trust flags using the web console

You can use the web console to change the CA trust flags.

Prerequisites

  • You imported a CA certificate to the network security services (NSS) database.

Procedure

  1. Navigate to ServerSecurityCertificate ManagementTrusted Certificate Authorities.
  2. Click …​ icon next to the CA certificate, and select Edit Trust Flags.
  3. Select the trust flags.

    ca cert set trust flags
  4. Click Save

Verification

  1. Navigate to ServerSecurityCertificate ManagementTrusted Certificate Authorities.
  2. Click > next to the CA certificate to display the trust flags.