HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
5. Name the certificate, and click Next.
6. Select the purpose of trusting this certificate authority; it is possible to select both options:
• Accepting connections from clients (Client Authentication).
The server checks that the client's certificate has been issued by a trusted certificate
authority.
• Accepting connections to other servers (Server Authentication)
This server checks that the directory to which it is making a connection (for replication
updates, for example) has a certificate that has been issued by a trusted certificate
authority.
7. Click Done.
After both the server and CA certificates are installed, it is possible to configure the Directory Server
to run in TLS/SSL. However, HP recommends verifying that the certificates have been installed
correctly.
12.2.5 Step 5: Confirm that the new certificates are installed
1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
2. Select the Server Certs tab.
A list of all the installed certificates for the server opens.
3. Scroll through the list. The certificates installed previously should be listed.
It is now possible to set up the Directory Server to run in TLS/SSL.
NOTE:
When renewing a certificate using the Certificate Wizard, the text on the introduction screen does
not clearly indicate that the process is renewal and not requesting a new certificate. Also, the
requester information is not filled in automatically.
12.3 Using certutil
The Directory Server has a command line tool, certutil, which locally creates self-signed CA
and client certificates, certificate databases, and keys. The default location for the Directory Server
certutil tool is /opt/dirsrv/bin.
12.3.1 Creating Directory Server certificates through the command line
The following steps outline how to make the databases, key, CA certificate, server/client certificate,
and convert the certificates into pkcs12 format.
1. Open the directory where the Directory Server certificate databases are stored:
cd /etc/opt/dirsrv/slapd-instance_name
2. Make a backup copy of all the files in the directory as a precaution. If something goes awry
with while managing certificates, the databases can then be restored. For example:
tar -cf /tmp/db-backup.tar *
3. Using a text editor, create a text file that only contains your desired security token password.
The following example creates the file pwdfile. Using the text editor, insert the password
“secretpw”.
vi pwdfile
This password locks the server's private key in the key database and is used when the keys
and certificates are first created. The password in this file is also the default password to
encrypt PK12 files used by pk12util. Because this password is stored in plaintext, the
password file should be owned by the user as which Directory Server runs, by default nobody,
12.3 Using certutil 477