HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

12.7.6 Connecting to the Directory Server with certificate-based authentication

The Directory Server can connect to another Directory Server instance for chaining or replication

using certificate-based authentication, as configured in the database link or replication agreement.

Users can connect to the Directory Server with certificate-based authentication when using LDAP

tools such as ldapsearch. This requires four parameters:

• -P to give certificate database's file name and path

• -N to give the SSL certificate name

• -K to specify the private key database's file name and path

• -W to give the password to the private key database

For example:

ldapsearch -p 389 -h server.example.com -D

"uid=jsmith,ou=people,dc=example,dc=com" -P /home/jsmith/alias/cert8.db -N

"My Cert" -K /home/jsmith/alias/key3.db -W secret

For information on how to use TLS/SSL with ldapmodify, ldapdelete, and ldapsearch, see

the HP-UX Directory Server configuration, command, and file reference.

12.8 Managing certificates for the Directory Server

After installing certificates, it can be necessary to renew the certificates, adjust the settings, or

manage the security databases that store them.

12.8.1 Renewing certificates

As with any issued identification (for example, drivers' licenses, student IDs), certificates are valid

for a predefined period then expire and must be renewed. To renew a certificate, regenerate a

certificate request, using the same information that was used to create the original, submit the

request to a CA, and re-install the renewed certificate.

1. Open the Directory Server Console.

2. In the Tasks tab, click the Manage Certificates button.

3. Click the Server Certs tab.

4. Select the certificate to renew from the list of certificates, and click the Renew button.

5. Go through the request wizard, using the same information used for requesting the original

certificate.

6. Submit the request to a certificate authority.

7. After the certificate is issued, reinstall it in the Directory Server.

a. In the Tasks tab, click the Manage Certificates button.

b. Click the Server Certs tab.

c. Click the Install button.

d. Paste in the renewed certificate, and continue through the installation wizard.

12.8.2 Changing the CA trust options

It is sometimes necessary to reject certificates issued by a generally trusted CA. The trust settings

on CA certificates installed in the Directory Server can be untrusted, trusted, or change the operations

for which it is trusted.

1. In the Tasks tab, click the Manage Certificates button.

2. Click the CA Certs tab.

3. Select the CA certificate to edit.

496 Managing SSL