Configuring SSL Connection in DS 1.4

Table of Contents Overview Displaying SSL Configuration Listing DS Certificates Displaying DS Certificates Enabling SSL Connection Exporting DS Certificates Importing DS Certificates Deleting DS Certificates Accessing DS via SSL Connection See Also

Overview

In DS 1.4 or later the SSL is enabled by default with self-signed CA and server certificates in /etc/dirsrv/slapd-<instance>.

Displaying SSL Configuration

To display the SSL configuration:

$ ldapsearch -H ldap://$HOSTNAME:389 -x -D "cn=Directory Manager" -w Secret.123 -b "cn=encryption,cn=config"
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
CACertExtractFile: /etc/dirsrv/slapd-localhost/Self-Signed-CA.pem
nsSSLSupportedCiphers: TLS_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: ...
nssslenabledciphers: TLS_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: ...
nsSSL2: off
nsSSL3: off
nsTLS1: on
sslVersionMin: TLS1.2
sslVersionMax: TLS1.3

dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
nsSSLToken: internal (software)

Listing DS Certificates

To list DS certificates:

$ certutil -L -d /etc/dirsrv/slapd-localhost

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Self-Signed-CA                                               CT,, 
Server-Cert                                                  u,u,u

To list DS certificate key:

$ certutil -K -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      299bdc37b695519cb5f40f61d1e7283f8b161900   NSS Certificate DB:Server-Cert

Displaying DS Certificates

To display DS signing certificate:

$ certutil -L -d /etc/dirsrv/slapd-localhost -n "Self-Signed-CA"

To display DS server certificate:

$ certutil -L -d /etc/dirsrv/slapd-localhost -n "Server-Cert"

Enabling SSL Connection

See Enabling SSL Connection in DS.

Exporting DS Certificates

See Exporting DS Certificates.

Importing DS Certificates

To import DS certificates and key from a PKCS #12 file:

$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    pkcs12-import --pkcs12-file tmp/sslserver.p12 --pkcs12-password Secret.123

Deleting DS Certificates

To delete DS server certificate and its key:

$ certutil -F -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt -n Server-Cert

To deleete DS signing certificate:

$ certutil -D -d /etc/dirsrv/slapd-localhost -n "Self-Signed-CA"

Accessing DS via SSL Connection

To verify the SSL connection:

$ sslscan $HOSTNAME:636

To access DS via SSL connection without trusted DS signing certificate:

$ LDAPTLS_REQCERT=never \
    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret.123 -s base -b "" \* +

To access DS via SSL connection with trusted DS signing certificate:

$ LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/Self-Signed-CA.pem \
    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret.123 -s base -b "" \* +

See Also

• Configuring TLS/SSL Enabled 389 Directory Server
• Design for “Allow usage of OpenLDAP libraries that do not use NSS for crypto”
• OpenLDAP 2.1 Administrator's Guide: Using TLS