LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
NOTE: If you already have the certificate database files cert8.db and key3.db on your client
for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/cert8.db
that points to cert8.db and /etc/opt/ldapux/key3.db that points to key3.db.
2.4.6.2.1 Steps to create certificate database files using the certutil utility
The following steps show how you can create the security database files, cert8.db and key3.db
on your client system using the Certificate Database Tool command line utility (certutil):
1. Retrieve the certificate. The procedure for this varies, depending on several factors. If your
organization is using either a certificate management system internal to the organization, or
a third-party certificate authority, you will usually use a web browser to download a Certificate
Authority (CA) certificate. The certificate is downloaded in one of two forms: ASCII-encoded
PEM form, or binary DER form.
If your organization is using Microsoft Certificate Services for Windows, the URL to download
the certificate is typically the following:
http://windows-server-name/certsrv
Click on the Download CA certificate link.
Save the CA certificate to a file and transfer it to the HP-UX host where LDAP-UX is being
configured for SSL.
NOTE: To download the CA certificate with Internet Explorer, click Save to save the CA
certificate to a file. Additionally, the direct URL for downloading the certificate may be required
if the ActiveX control used by Microsoft Certificate Services prior to Windows 2008 is not
supported. The direct URL would take the form of:
http://windows-server-name/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64
To download the CA certificate with Mozilla Firefox, click View, open the Details tab, and
then click Export... to save the CA certificate to a file.
In PEM form the certificate looks similar to this:
--------------- BEGIN CERTIFICATE -------------------------------
-MIICJjCCAY+gAwIBAgIBJDANBgkghkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkga1UECBMCQ2ExEjAQBgNVBAcTCWN1cGVvsG1ubzEPMA0GA1UEChmgAhaUy29T
MRIwEAYDVQQLEw1RR1NMLUxkYXAxHDAaBgNVBAMTE0N1cnRpzmljYXR1IE1hbmFn
4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF
skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig=
--------------- END CERTIFICATE ----------------------------------
As an alternative to installing the CA certificate, you can install and trust the LDAP server’s
own certificate rather than the CA certificate that is issued with the LDAP server’s certificate.
Because LDAP-UX only accepts connections to the LDAP server for which the server certificate
is valid, this alternative establishes a more narrow scope of trust. So, if you plan to connect
to multiple LDAP servers, you must install multiple server certificates. Additionally, because
server certificates tend to have a validity range shorter than that of CA certificates, you may
find yourself needing to update the certificate more often.
2. Use the rm command as in the following example to remove the old database files /etc/
opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db:
# rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db
3. Create new certificate database files, using the command shown in the following example.
# /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux –N
The certutil tool will prompt you to enter a password to protect the private key database.
If you will not be storing any private keys in the certificate database files, press Enter to leave
the password empty . LDAP-UX does not require a private key; however, if you plan to use
2.4 Customized installation (setup) 49