HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

471

472

473

474

475

476

477

478

479

480

Table 57 certutil options (continued)

DescriptionOptions

The output file to which to save the certificate request.-o

An input file containing a certificate.-I

The path to a password file for the security databases password.-f

Table 58 (page 480) has some common uses for the certutil command.

Table 58 certutil examples

DescriptionExample

Lists the certificates in the database.certutil -L -d .

Creates new key (key3.db) and certificate (cert8.db)

databases.

certutil -N -d .

Creates a self-signed CA certificate.certutil -S -n "CA certificate" -s "cn=My Org CA cert,

dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 120 -d .

-k rsa

"Pretty prints" the specified certificate; the cert_name

can specify either a CA certificate or a client certificate.

certutil -L -d . -n "cert_name

Exports the specified certificate out of the database to ASCII

(PEM) format.

certutil -L -d . -n "cert_name" > certfile.asc

Exports the specified certificate out of the database to

binary format; this can be used with Directory Server

attributes such as userCertificate;binary.

certutil -L -d . -n "cert_name" -r > certfile.bin

12.4 Starting the server with TLS/SSL enabled

Most of the time, the server should run with TLS/SSL enabled. If TLS/SSL is temporarily disabled,

re-enable it before processing transactions that require confidentiality, authentication, or data

integrity.

Before TLS/SSL can be activated, first create a certificate database, obtain and install a server

certificate, and trust the CA's certificate, as described in “Obtaining and installing server

certificates” (page 471).

With TLS/SSL enabled, when the server restarts, it prompts for the PIN or password to unlock the

key database. This is the same password used when the server certificate and key were imported

into the database. Restarting the Directory Server without the password prompt is possible by using

use a hardware crypto device or creating a PIN file (“Creating a password file for the Directory

Server” (page 484)).

NOTE:

On SSL-enabled servers, be sure to check the file permissions on certificate database files, key

database files, and PIN files to protect the sensitive information they contain. Because the server

does not enforce read-only permissions on these files, check the file modes to protect the sensitive

information contained in these files.

The files must be owned by the Directory Server user, such as the default nobody. The key and

cert databases should be owned by the Directory Server user and should typically have read/write

access for the owner with no access allowed to any other user (mode 0600). The PIN file should

also be owned by the Directory Server user and set to read-only by this user, with no access to

anyone other user (mode 0400).

480 Managing SSL