Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
431432433434435436437438439440
client certificate resembles the following:
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh
MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w
GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC
BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3
WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm
V0c2NhcGUgRGlyZWN0b3
------END CERTIFICATE-----
3. Convert the client certificate into binary format using the certutil utility.
certutil -L -d certdbPath -n userCertName -r > userCert.bin
certdbPath is the directory which contains the certificate database; for example, a user
certificate for Mozilla Thunderbird is stored in $HOME/.thunderbird. userCertName is the
name of the certificate, and userCert.bin is the name of the output file for binary format.
4. On the server, map the subject DN of the certificate to the appropriate directory entry by
editing the certmap.conf file.
NOTE
Do not map a certificate-based authentication certificate to a distinguished name
under cn=monitor. Mapping a certificate to a DN under cn=monitor causes the
bind operation to fail. Map the certificate to a target located elsewhere in the
directory information tree. Make sure that the verifyCert parameter is set to on
in the certmap.conf file. If this parameter is not set to on, Directory Server
simply searches for an entry in the directory that matches the information in the
certmap.conf file. If the search is successful, it grants access without actually
checking the value of the userCertification and userCertificate;binary
attributes.
5. In the Directory Server, modify the directory entry for the user who owns the client certificate
to add the userCertificate attribute.
a. Select the Directory tab, and navigate to the user entry.
b. Double-click the user entry, and use the Property Editor to add the userCertificate
attribute, with the binary subtype.
When adding this attribute, instead of an editable field, the server provides a Set Value
button.
Chapter 11. Managing SSL
418