Zertifikate mit certutil (Teil 2)

Jens Appel Computer

Test CA anlegen

  1. certutil
    • Erzeugen einer Zertifikats DB für die CA
      • # mkdir -p /CA/cacertdb
# certutil -N -d /CA/cacertdb -P "ca-"
    • Selbst signiertes CA Zertifikat anlegen
      • # certutil -S -x -n "ca-cert" -s "cn=CA Certificate  certutil,ou=TEST,o=foo,l=bar,c=DE" -t  CTPu -v 120 -d /CA/cacertdb -P "ca-" -5

      5 (SSL CA) und  ‚y‘ auswählen

    • CA cert in PEM Datei exportieren
      • # certutil -L -d /CA/cacertdb -P "ca-" -n "ca-cert" -a > cacert.pem

NSS DB für Directory server anlegen

  1. certutil
    • Passwort merken
      • # certutil -N -d /var/mps/serverroot/alias -P "slapd-myhost-"

Generate Certificate Signing Request (CSR) for server cert

  1. certutil
    2. # certutil -R -s "cn=myhost.test.foo.lan,ou=TEST,o=foo.,l=bar,c=DE" -o DER.csr -d /var/mps/serverroot/alias -P   slapd-myhost-"
  2. openssl
    • erzeugen eines 2048-bit RSA private key
      • # openssl genrsa -out privkey.pem 2048
    • oder  erzeugen 2048-bit DSA private key
      • # openssl dsaparam -out DSAparam.pem 2048
# openssl gendsa -out privkey.pem DSAparam.pem
    • Zertifikats Requesr generieren
      • # openssl req -new -key privkey.pem -out PEM.csr
    • Anzeigen des Zertifikats Requests
      • # openssl req -in PEM.csr -text -pubkey

Sign CSR using Test CA

  1. certutil
    • Sign DER CSR
      • # certutil -C -c "ca-cert" -i DER.csr -o ./cert.der -v 12 -d /CA/cacertdb -P "ca-" -5
    • Sign PEM CSR
      • # certutil -C -c "ca-cert" -a -i PEM.csr -o ./cert.pem -v 12 -d /CA/cacertdb -P "ca-" -5
  1. openssl
    2. # openssl ca -policy policy_anything -cert cacert.pem -in PEM.csr -out ./cert.pem

Import signed certs into NSS DB

  1. certutil
    • Import PEM server cert
      • # certutil -A -a -n "server-cert" -i ./cert.pem -t Pu -d /var/mps/serverroot/alias -P "slapd-myhost-"
    • Import DER server cert
      • # certutil -A -n  "server-cert" -i ./cert.der -t Pu -d /var/mps/serverroot/alias -P "slapd-myhost-"
    • Import PEM CA cert
      • # certutil -A -a -n "ca-cert" -i cacert.pem -t CT -d /var/mps/serverroot/alias -P "slapd-myhost-"
    • List the contents
      • # certutil -L -d /var/mps/serverroot/alias -P "slapd-myhost-"
    • List the contents of a specific cert
      • #certutil -L -d /var/mps/serverroot/alias -P "slapd-myhost-" -n "server-cert"
  2. openssl
    • Import openssl certificates/keys into NSS DB. Convert cert, key and CA cert into pkcs12 format
      • # openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem -name "MY CERTIFICATE" -out mycert.p12
    • Import it into NSS DB
      • # pk12util -i mycert.p12 -d /var/mps/serverroot/alias -P "slapd-myhost-" -v

Enable SSL

Solaris Native LDAP client side

  • Create NSS DB (Don’t enter password. Just hit return)
    • # certutil -N -d /var/ldap
# chmod 444 /var/ldap/*
# Download the Test CA certificate on the client machine into a temporary location. Ex: /var/tmp/cacert.pem
  • Add CA certificate to the NSS DB
    • # certutil -A -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT -d /var/ldap
  • Verify that „myhost“ is fully qualified. Else modify /etc/hosts (and if necessary /etc/nssswitch.conf)
    • # getent hosts 11.22.33.44
11.22.33.44 myhost.test.sun.com
  • Test with ldapsearch
    • # ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b "dc=sun,dc=com" -s base "objectclass=*"
  • Initialize Native LDAP client using profile „tls-profile“.
    • # /usr/sbin/ldapclient init -a profileName=tls-profile -a  domainname=test.sun.com -a  proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a  proxyPassword=proxy 11.22.33.44