Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
421422423424425426427428429430
"cn=ldap.example.com"; it is beneficial to have a more descriptive name to help with server
identification, such as "cn=ldap.example.com, ou=DS1". The FQDN must be available for
DNS and reverse DNS lookups to Directory Server clients because certificate validation may
fail if the clients cannot properly resolve the FQDN, and some clients refuse to connect if a
server certificate does not have its FQDN in the subject. Additionally, using the format
cn=hostname.domain is essential for Directory Server clients to protect themselves from man
in the middle attacks.
To provide a subjectAltName, as well as the nickname, use the -8 argument in addition to
the -s argument.
To use the Directory Server behind a DNS round robin or any other scheme which aliases a
single server certificate to multiple hostnames, see the TLS/SSL information about server
name wildcards or subjectAltName.
Server certificates for other servers are created using a similar command as for the Directory
Server certificate. Make sure that every -n option (nickname) and -m option (serial number) is
unique for every certificate, and make sure that the -s option gives the correct FQDN for the
server.
NOTE
Keep careful track on the numbers set with the -m option. The -m option sets the
unique identifier for the server certificate, and a CA cannot issue two certificates
with the same ID. Keep a log of issued serial numbers so that no number is ever
duplicated.
8. Export the CA certificate for use with other servers and clients. A client usually requires the
CA certificate to validate the server certificate in an TLS/SSL connection. Use certutil to
export the CA certificate in ASCII/PEM format:
certutil -d . -L -n "CA certificate" -a > cacert.asc
The way that the CA certificate is imported is different for every client. For example,
certutil can import a CA certificate into another Directory Server certificiate database:
cd /etc/dirsrv/slapd-otherserver
certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
9. Use pk12util to export other server certificates and keys created with certutil so that they
can be used on a remote server.
pk12util -d . -o ldap1.p12 -n Server-Cert1 -w /tmp/pwdfile -k /tmp/pwdfile
Chapter 11. Managing SSL
404