Body
Overview
The certificate updating process to replace an expired certificate is quite convoluted.
The basic process is as follows:
- Combine the key file and certificate file in PEM format into a pkcs12 package using OpenSSL
- Copy the resulting file to each rhds4 and rhds5 into the /etc/dirsrv/slapd-rhds4 & /etc/dirsrv/admin-serv/ directory (this is where the certificates are stored)
- Import the certificates into the appropriate databases.
- Revoke the old certificate for ldap.oakland.edu:
- Remove the certificates from the Java console by running Redhat-IDM-Console. Remove both from the admin server and directory server from with the manage certificates area.
- Create the PKCS#12 file:
openssl pkcs12 -export -inkey star.oakland.edu.key.pem.withoutpassword -in star.oakland.edu.crt.pem -out ldapnew.oakland.edu.pk12 -nodes -name ldap-crt
Note: ldap-crt MUST be the same name as the existing entry in the certificate database Note: OpenSSL will ask you for an export password, just pick anything, it holds the private key so don't give this file away
- Copy the pk12 file to the proper nodes
for host in rhds4 rhds5; do scp ldapnew.oakland.edu.p12 $host:/etc/dirsrv/; done
Importing the Certificate into the Databases
The PKCS#12 file must now be imported into the proper databases with the proper attributes so the LDAP server and administration server can use it. I used "admin-serv-rhdsX" for the administration server SSL database, and I used slapd-rhdsX for the LDAP server SSL database. You should replace these with the names of the specific databases with which you are working.
- Install CA certs through admin console (delete the old ones)
- Import the certificate into the databases pk12util -i ldapnew.oakland.edu.pk12 -d /etc/dirsrv/admin-serv/ pk12util -i ldapnew.oakland.edu.pk12 -d /etc/dirsrv/slapd-rhds4/
- Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util-bin: PKCS12 IMPORT SUCCESSFUL
Note: You will need the password that was initially used to create the Certificate databases Note: The password for the PKCS12 file is what you entered in step #3 above.
- Start the services (if necessary) root@rhds4 /etc/init.d/dirsrv start root@rhds4 /etc/init.d/dirsrv-admin start
- Verify the certificate for the admin server, and LDAP:
openssl s_client -CAfile /etc/ssl/oakland-root.crt -connect rhdsX.sys.oakland.edu:4555
Other Things to Check
Verify the following settings:(make sure certname is "ldap-crt" in both dirsrv and admin-servedit dse.ldif /etc/dirsrv/slapd-rhds4nsSSLPersonalitySSL: *.oakland.edu -GlobalSign nsSSLPersonalitySSL: ldap-crt/etc/dirsrv/admin-serv/console.conf NSSNickname "ldap-crt"
Check errors logs after startup for encryption key errors if the certs were replaced (ignore if new rhds setup of server)
Error similar to this will appear: attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [20/Aug/2013:15:27:08 -0400] attrcrypt - Key for cipher AES successfully generated and stored [20/Aug/2013:15:27:08 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [20/Aug/2013:15:27:08 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [20/Aug/2013:15:27:08 -0400] attrcrypt - No symmetric key found for cipher AES in backend NetscapeRoot, attempting to create one... [20/Aug/2013:15:27:08 -0400] attrcrypt - Key for cipher AES successfully generated and stored [20/Aug/2013:15:27:08 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend NetscapeRoot, attempting to create one... [20/Aug/2013:15:27:08 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored
If so, stop dirsrv (/etc/init.d/dirsrv stop) edit the dse.ldif file in /etc/dirsrv/slapd-rhds4
remove all encryption keys listed from above, dirsrv will re-generate them upon start up. Verify in error log that these errors are gone.
Clean Up
Finally, delete the PKCS#12 file from the nodes you've been working with.
External Resources
http://directory.fedoraproject.org/wiki/Howto:SSL