HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
and it must be set as readonly for the Directory Server user and allow no access to anyone
else (mode 0400). HP recommends that you have a secure backup of this file.
4. Set the environment variable for the shell to include the certutil directory path. For example:
export PATH=/opt/dirsrv/bin/:$PATH
The command varies depending on the shell.
5. Create the key and certificate databases databases.
certutil -N -d . -f ./pwdfile
6. Generate the self-signed CA certificate. The certutil command creates the required key
pairs and the certificate. This certificate is used to generate the other server certificates and
can be exported for use with other servers and clients.
certutil -S -n "CA certificate" -s "cn=My Org CA cert, dc=example,dc=com"
-2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f ./pwdfile
7. Generate the Directory Server client certificate.
certutil -S -n "Server-Cert" -s "cn=FQDN,ou=Directory Server" -c "CA certificate" \
-t "u,u,u" -m 1001 -v 120 -d . -k rsa -f ./pwdfile
The value of the -s argument is very important. The leftmost RDN must be cn=FQDN (where
FQDN is the fully-qualified host and domain name of the Directory Server). For example, to
issue a certificate for a server with the name ldap.example.com, specify at least -s
"cn=ldap.example.com"; it is beneficial to have a more descriptive name to help with
server identification, such as "cn=ldap.example.com, ou=DS1". The FQDN must be
available for DNS and reverse DNS lookups to Directory Server clients because certificate
validation may fail if the clients cannot properly resolve the FQDN, and some clients refuse
to connect if a server certificate does not have its FQDN in the subject. Additionally, using
the format cn=hostname.domain is essential for Directory Server clients to protect themselves
from man in the middle attacks.
To provide a subjectAltName, as well as the nickname, use the -8 argument in addition to
the -s argument.
To use the Directory Server behind a DNS round robin or any other scheme that aliases a
single server certificate to multiple host names, see the TLS/SSL information about server name
wildcards or subjectAltName.
Server certificates for other servers are created using a similar command as for the Directory
Server certificate. Make sure that every -n option (nickname) and -m option (serial number)
is unique for every certificate, and make sure that the -s option gives the correct FQDN for
the server.
NOTE:
Keep careful track on the numbers set with the -m option. The -m option sets the unique
identifier for the server certificate, and a CA cannot issue two certificates with the same ID.
Keep a log of issued serial numbers so that no number is ever duplicated.
8. Export the CA certificate for use with other servers and clients. A client usually requires the
CA certificate to validate the server certificate in an TLS/SSL connection. Use certutil to
export the CA certificate in ASCII/PEM format:
certutil -d . -L -n "CA certificate" -a > cacert.asc
The way that the CA certificate is imported is different for every client. For example, certutil
can import a CA certificate into another Directory Server certificate database:
cd /etc/opt/dirsrv/slapd-otherserver
certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
9. Use pk12util to export other server certificates and keys created with certutil so that
they can be used on a remote server.
pk12util -d . -o ldap1.p12 -n Server-Cert1 -w /tmp/pwdfile -k ./pwdfile
478 Managing SSL