Test CA anlegen
- certutil
- Erzeugen einer Zertifikats DB für die CA
# mkdir -p /CA/cacertdb # certutil -N -d /CA/cacertdb -P "ca-"
- Selbst signiertes CA Zertifikat anlegen
- CA cert in PEM Datei exportieren
# certutil -S -x -n "ca-cert" -s "cn=CA Certificate certutil,ou=TEST,o=foo,l=bar,c=DE" -t CTPu -v 120 -d /CA/cacertdb -P "ca-" -5
5 (SSL CA) und ‚y‘ auswählen
# certutil -L -d /CA/cacertdb -P "ca-" -n "ca-cert" -a > cacert.pem
NSS DB für Directory server anlegen
- certutil
- Passwort merken
# certutil -N -d /var/mps/serverroot/alias -P "slapd-myhost-"
Generate Certificate Signing Request (CSR) for server cert
- certutil
- openssl
- erzeugen eines 2048-bit RSA private key
# openssl genrsa -out privkey.pem 2048
- oder erzeugen 2048-bit DSA private key
- Zertifikats Requesr generieren
- Anzeigen des Zertifikats Requests
# certutil -R -s "cn=myhost.test.foo.lan,ou=TEST,o=foo.,l=bar,c=DE" -o DER.csr -d /var/mps/serverroot/alias -P slapd-myhost-"
# openssl dsaparam -out DSAparam.pem 2048 # openssl gendsa -out privkey.pem DSAparam.pem
# openssl req -new -key privkey.pem -out PEM.csr
# openssl req -in PEM.csr -text -pubkey
Sign CSR using Test CA
- certutil
- Sign DER CSR
# certutil -C -c "ca-cert" -i DER.csr -o ./cert.der -v 12 -d /CA/cacertdb -P "ca-" -5
- Sign PEM CSR
# certutil -C -c "ca-cert" -a -i PEM.csr -o ./cert.pem -v 12 -d /CA/cacertdb -P "ca-" -5
- openssl
# openssl ca -policy policy_anything -cert cacert.pem -in PEM.csr -out ./cert.pem
Import signed certs into NSS DB
- certutil
- Import PEM server cert
# certutil -A -a -n "server-cert" -i ./cert.pem -t Pu -d /var/mps/serverroot/alias -P "slapd-myhost-"
- Import DER server cert
- Import PEM CA cert
- List the contents
- List the contents of a specific cert
- openssl
- Import openssl certificates/keys into NSS DB. Convert cert, key and CA cert into pkcs12 format
# openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem -name "MY CERTIFICATE" -out mycert.p12
- Import it into NSS DB
# certutil -A -n "server-cert" -i ./cert.der -t Pu -d /var/mps/serverroot/alias -P "slapd-myhost-"
# certutil -A -a -n "ca-cert" -i cacert.pem -t CT -d /var/mps/serverroot/alias -P "slapd-myhost-"
# certutil -L -d /var/mps/serverroot/alias -P "slapd-myhost-"
#certutil -L -d /var/mps/serverroot/alias -P "slapd-myhost-" -n "server-cert"
# pk12util -i mycert.p12 -d /var/mps/serverroot/alias -P "slapd-myhost-" -v
Enable SSL
Solaris Native LDAP client side
- Create NSS DB (Don’t enter password. Just hit return)
# certutil -N -d /var/ldap # chmod 444 /var/ldap/* # Download the Test CA certificate on the client machine into a temporary location. Ex: /var/tmp/cacert.pem
# certutil -A -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT -d /var/ldap
# getent hosts 11.22.33.44 11.22.33.44 myhost.test.sun.com
# ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b "dc=sun,dc=com" -s base "objectclass=*"
# /usr/sbin/ldapclient init -a profileName=tls-profile -a domainname=test.sun.com -a proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a proxyPassword=proxy 11.22.33.44