Language and Page Formatting Options
Chapter 6. Renewing a TLS certificate
TLS certificates have an expiration date and time. To continuously provide secure connections, renew the server certificate in Directory Server before it expires.
6.1. Renewing a TLS certificate using the command line
Follow this procedure before the TLS server certificate expires to renew it.
- Attribute encryption is not configured.
- The TLS certificate will expire in the near future.
Create a private key and a certificate signing request (CSR). Skip this step if you want to create them using an external utility.
If your host is reachable only by one name, enter:
# dsctl instance_name tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization"
If your host is reachable by multiple names:
# dsctl instance_name tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization" server.example.com server.example.net
If you specify the host names as the last parameter, the command adds the Subject Alternative Name (SAN) extension with the
DNS:server.example.com, DNS:server.example.netentries to the CSR.
The string specified in the
-s subjectparameter must be a valid subject name according to RFC 1485. The
CNfield in the subject is required, and you must set it to one of the fully-qualified domain names (FQDN) of the server. The command stores the CSR in the
- Submit the CSR to the certificate authority (CA) to get a certificate issued. For further details, see your CA’s documentation.
Store both the CA certificate and the server certificate in the
Import the server certificate issued by the CA to the NSS database, using one of the following options:
If you created the private key using the
dsctl tls generate-server-cert-csrcommand, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security certificate add --file /root/instance_name.crt --name "server-cert" --primary-cert
Remember the name of the certificate you set in the
--name _certificate_nicknameparameter. You require it in a later step.
If you created the private key using an external utility, import the server certificate and the private key:
# dsctl instance_name tls import-server-key-cert /root/server.crt /root/server.key
Note that the command requires you to specify the path to the server certificate first and then the path to the private key. This method always sets the nickname of the certificate to
Import the CA certificate to the NSS database:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate add --file /root/ca.crt --name "Example CA"
Set the trust flags of the CA certificate:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate set-trust-flags "Example CA" --flags "CT,,"
This configures Directory Server to trust the CA for TLS encryption and certificate-based authentication.
Stop the instance:
# dsctl instance_name stop
/etc/dirsrv/slapd-instance_name/dse.ldiffile, and remove the following entries including their attributes:
cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
Remove the entries for all databases. If any entry that contains the
nsSymmetricKeyattribute is left in the
/etc/dirsrv/slapd-instance_name/dse.ldiffile, Directory Server will fail to start.
Start the instance:
# dsctl instance_name start