HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
With the -ZZZ option, the following errors could occur, causing the Start TLS operation to fail:
• If there is no certificate database. See “Obtaining and installing server certificates” (page 471)
for information on using certificates.
• If the certificate database does not have the certificate authority (CA) certificate. See “Obtaining
and installing server certificates” (page 471) for information on using certificates.
• The server does not support Start TLS as an extended operation.
For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is
requested, then the connection continues to be in secure mode but prints the error "DSA is
unwilling to perform".
12.2 Obtaining and installing server certificates
Before the Directory Server can be set to run in TLS/SSL, server and CA certificates must be properly
configured in the Directory Server. If a server certificate has already been generated for the Directory
Server instance and the issuing certificate authority (CA) is already trusted by the Directory Server,
begin setting up TLS/SSL as described in “Starting the server with TLS/SSL enabled” (page 480).
Obtaining and installing certificates consists of the following steps:
1. Generate a certificate request.
2. Send the certificate request to a certificate authority.
3. Install the server certificate.
4. Set the Directory Server to trust the certificate authority.
5. Confirm that the certificates are installed.
Two wizards automate the process of creating a certificate database and of installing the key-pair.
The Certificate Request Wizard in the Directory Server Console can generate a certificate request
and send it to a certificate authority. The Certificate Install Wizard in the Directory Server Console
can then install the server certificate and the CA certificate.
12.2 Obtaining and installing server certificates 471