LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
1. Retrieve the certificate. The procedure for this varies, depending on several factors. If your
organization is using either a certificate management system internal to the organization, or
a third-party certificate authority, you will usually use a web browser to download a CA
certificate. The certificate is downloaded in one of two forms: ASCII-encoded PEM form, or
binary DER form.
If your organization is using Microsoft Certificate Services for Windows, the web address
from which to download the certificate is typically the following:
http://windows-server-name/certsrv
Click on the Download CA certificate link.
Save the CA certificate to a file and transfer it to the HP-UX host where LDAP-UX is being
configured for SSL.
NOTE: To download the CA certificate with Internet Explorer, click Save to save the CA
certificate to a file. Additionally, the direct web address for downloading the certificate might
be required if the ActiveX control used by Microsoft Certificate Services before Windows
2008 is not supported. The direct web address would take the form of:
http://windows-server-name/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64
To download the CA certificate with Mozilla Firefox, click View, open the Details tab, and
then click Export... to save the CA certificate to a file.
In PEM form the certificate looks similar to this:
--------------- BEGIN CERTIFICATE -------------------------------
-MIICJjCCAY+gAwIBAgIBJDANBgkghkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkga1UECBMCQ2ExEjAQBgNVBAcTCWN1cGVvsG1ubzEPMA0GA1UEChmgAhaUy29T
MRIwEAYDVQQLEw1RR1NMLUxkYXAxHDAaBgNVBAMTE0N1cnRpzmljYXR1IE1hbmFn
4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF
skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig=
--------------- END CERTIFICATE ----------------------------------
As an alternative to installing the CA certificate, you can install and trust the LDAP server’s
own certificate rather than the CA certificate that is issued with the LDAP server’s certificate.
Because LDAP-UX only accepts connections to the LDAP server for which the server certificate
is valid, this alternative establishes a more narrow scope of trust. So, if you plan to connect
to multiple LDAP servers, you must install multiple server certificates. Additionally, because
server certificates tend to have a validity range shorter than that of CA certificates, you might
find yourself needing to update the certificate more often.
2. Use the rm command as in the following example to remove the old database files /etc/
opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db:
# rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db
3. Create new certificate database files, using the command shown in the following example.
# /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux –N
The certutil tool will prompt you to enter a password to protect the private key database.
If you will not be storing any private keys in the certificate database files, press Enter to leave
the password empty . LDAP-UX does not require a private key; however, if you plan to use
these certificate database files with other applications that make use of a private key, you
should set a password.
4. Add the downloaded CA certificate to the certificate database created in the preceding step.
If the CA certificate was downloaded in binary DER form, use the following command:
# /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA
cert" -t “CT,,” -i cacert.der
If the CA certificate was downloaded in ASCII-encoded PEM form, use the –a (ASCII) option
as in the following example:
2.4 Customized installation (setup) for an HP directory server environment 83