LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
these certificate database files with other applications that make use of a private key, you
should set a password.
4. Add the downloaded CA certificate to the certificate database created in the preceding step.
If the CA certificate was downloaded in binary DER form, use the following command:
# /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA
cert" -t “CT,,” -i cacert.der
If the CA certificate was downloaded in ASCII-encoded PEM form, use the –a (ASCII) option
as in the following example:
# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA
cert" -t “CT,,” -i cacert.pem -a
If the certificate is a server certificate, use the “P,,” trust flag:
# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "server
cert" -t “P,,” -i servercert.der
NOTE: The required –n parameter gives the certificate a nickname in the certificate database
files. The nickname value is arbitrary. If you plan to connect to multiple LDAP servers that were
issued SSL certificates by different certificate authorities, you should use the nickname to help
differentiate between the different CA certificates. For example, you might name one Issuer1
CA cert and the other Issuer2 CA cert.
The –t parameter sets the trust bits for the certificate. For CA certificates, use “CT,,” to
indicate that the certificate is trusted as an issuer of SSL certificates. For server certificates, use
“P,,” to indicate that the certificate represents a trusted peer.
For more information about using the certutil utility, see the following website:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
2.4.6.2.2 Adjusting the Peer Certificate policy
With SSL/TLS, not only communication between clients (LDAP-UX) and servers (the directory server)
can be protected, but in addition, specific levels of assurance of the identities of the clients and
servers can be validated. This section describes how to adjust this validation level.
The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf
configuration file is a string variable used to control the validation level. The valid options for this
parameter are:
WEAK Performs no validation of SSL or TLS certificates. Communication between the client
and server can be encrypted, however the client has no assurance that it is
communicating with a trusted server.
CERT Verifies that the issuers of peer SSL or TLS certificates are trusted. Communication
between the client and server can be encrypted and the client has some assurance that
it is communicating with a trusted server. In this scenario, it is still possible for the server
to have a certificate that has been issued for a different server if methods used to protect
private keys of server certificates are not in place. CERT is the default mode of operation
with LDAP-UX.
CNCERT Performs both the CERT check and also verifies that the common name or
subjectAltName values embedded in the certificate matches the address used to
connect to the LDAP server, as described in RFC 4513.
Increasing certificate validation level from the default (CERT) to CNCERT requires additional and
specific configuration steps. If not properly established, it can interfere with LDAP-UX and proper
system operation. Because LDAP-UX can be used for host-name resolution (similar to DNS), LDAP-UX
normally stores the IP address of LDAP servers in the configuration profile. This procedure assures
that if LDAP-UX is asked to resolve a host name, it can do so without first needing to resolve the
50 Installing LDAP-UX Client Services