Publishing CA Certificate to LDAP Server - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to configure CA to publish the CA certificate into a CRL database in LDAP.

To configure OCSP responder to get the CA certificate from LDAP, see:

Setting up CRL Database in LDAP

See Setting up CRL Database.

Configuring CA Certificate Publishing

The CA certificate publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.

To configure the LDAP connection:

$ pki-server ca-config-set ca.publish.ldappublish.enable true
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host $HOSTNAME
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 389
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.clientCertNickname ""

To configure LDAP-based CA certificate publisher:

$ pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr "cACertificate;binary"
$ pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass pkiCA
$ pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.pluginName LdapCaCertPublisher

To configure CA certificate mapper:

$ pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.createCAEntry true
$ pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.dnPattern "cn=\$subj.cn,dc=crl,dc=pki,dc=example,dc=com"
$ pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.pluginName LdapCaSimpleMap

To configure CA certificate publishing rule:

$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.enable true
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.mapper LdapCaCertMap
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.pluginName Rule
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.predicate ""
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.publisher LdapCaCertPublisher
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.type cacert

To enable publishing:

$ pki-server ca-config-set ca.publish.enable true

Finally, restart the server.

Verification

To retrieve the published CA certificate:

$ ldapsearch \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "dc=crl,dc=pki,dc=example,dc=com" \
    -o ldif_wrap=no \
    -t \
    "(objectClass=pkiCA)"
dn: cn=CA Signing Certificate,dc=crl,dc=pki,dc=example,dc=com
cn: CA Signing Certificate
sn: CA Signing Certificate
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: pkiCA
cACertificate;binary:< file://<path>

To view the published CA certificate:

$ openssl x509 \
    -in <path> \
    -inform DER \
    -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:21:e0:1a:ab:16:78:60:d5:61:c6:2b:fc:de:dd:18
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
        Validity
            Not Before: Jul 29 00:26:54 2022 GMT
            Not After : Jul 29 00:26:54 2042 GMT
        Subject: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:e7:ce:da:04:fc:4f:47:b6:0b:da:98:a9:08:d4:
                    54:ec:45:c0:24:ce:8e:10:4f:fe:da:e5:0e:64:2e:
                    6e:76:61:ae:0a:ec:15:34:d1:79:8a:dd:7e:bc:6b:
                    f7:d2:5e:9d:34:01:35:f1:c3:d0:bf:71:72:e2:df:
                    b1:52:d7:4c:51:a7:68:42:c5:38:8d:b9:44:b5:bb:
                    af:ab:35:8e:4a:06:a9:63:d7:64:38:33:12:aa:b7:
                    ac:ab:c5:db:ec:29:7c:51:f4:89:bd:39:3e:21:d9:
                    4c:51:01:db:6c:73:b2:91:81:93:22:5c:39:9d:68:
                    f4:b1:e0:0c:a7:eb:7f:26:6a:69:29:2a:a1:50:1e:
                    0a:a4:62:70:bc:ef:09:17:08:2e:85:85:d4:c3:87:
                    83:9c:84:64:65:2c:ac:43:03:06:c2:63:91:9b:0c:
                    80:da:f2:b2:20:81:09:76:58:a2:dd:7b:1e:78:b8:
                    31:d9:ce:09:bc:bb:1c:42:2a:2b:74:c3:64:ef:ee:
                    0b:a9:16:44:e0:9f:e3:1b:65:3e:b0:25:a0:6e:95:
                    34:03:0c:12:32:96:2a:29:92:4e:10:f7:89:9e:83:
                    02:45:80:74:d9:78:db:fe:7f:35:43:1d:9a:2d:4c:
                    6b:f2:9d:68:f8:37:d5:e2:c0:bc:3f:6d:c6:54:0b:
                    c7:23:18:f3:fd:4b:b5:38:64:39:41:a7:dc:29:e1:
                    5d:b2:a6:6a:c1:4c:e6:9e:f2:61:f6:5e:bf:82:61:
                    08:15:e7:4b:29:10:ac:33:bc:d2:b9:03:2f:99:42:
                    c9:0b:72:d3:c2:ea:18:41:10:97:c3:23:37:1d:d6:
                    3d:75:82:41:ff:11:58:17:38:28:47:73:ad:8a:f1:
                    c4:22:e6:70:c8:a8:90:1a:53:4e:94:51:31:f9:b8:
                    a5:8d:02:c6:19:28:82:a4:49:2d:df:4d:62:79:58:
                    95:97:bc:0a:fe:cd:44:f1:38:dc:b3:3f:67:f0:fb:
                    78:48:87:0b:86:00:57:ec:db:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                FF:8C:98:75:1B:0C:B8:46:4D:FA:99:F1:91:E6:A4:C3:11:26:CE:BE
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                FF:8C:98:75:1B:0C:B8:46:4D:FA:99:F1:91:E6:A4:C3:11:26:CE:BE
            Authority Information Access:
                OCSP - URI:http://pki.example.com:8080/ca/ocsp
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9c:15:d2:14:06:26:d0:b4:ff:88:f5:67:fa:61:e3:df:82:06:
        8f:3b:de:aa:31:fd:d5:b6:df:1a:7f:2b:31:23:79:47:05:b0:
        60:a9:ed:aa:a8:3d:9f:ad:8e:01:71:28:b4:96:35:a2:f1:f7:
        de:4a:08:ec:bc:fa:37:05:c5:4f:3c:13:0a:53:66:c2:d3:ef:
        ee:d6:70:2a:8e:59:bc:35:8a:17:de:18:5b:79:41:a2:1f:ea:
        19:6f:b5:ee:f1:d7:49:99:03:9c:c4:5d:3f:88:71:86:d3:23:
        d8:1a:84:22:6d:cf:4f:8b:c2:e5:67:5c:75:13:0a:8a:a8:5b:
        c1:1e:34:ab:57:03:d3:0f:5b:22:8c:10:29:ca:69:c8:f2:9c:
        9d:cb:6c:71:94:3a:f9:08:72:80:05:60:c8:a8:ac:7b:ed:06:
        e2:c7:d1:60:1d:93:8e:f7:c7:11:ea:4a:60:8a:ad:7d:18:31:
        56:b2:cd:36:f0:f1:7a:08:89:53:a3:fb:29:e4:b4:da:be:9f:
        73:84:e1:e0:5f:65:23:d8:57:cd:b0:a2:9c:d2:bb:69:71:b4:
        73:83:b4:d1:42:5e:d6:ac:25:76:7d:96:e5:49:90:b9:b8:8f:
        8d:8c:9c:25:8e:7d:06:79:1e:1b:db:d2:8f:70:47:e7:f3:ec:
        5d:25:4c:80:f3:56:47:bd:06:fd:fa:6f:b3:78:37:19:f1:19:
        e3:d3:d6:7c:81:89:58:95:ca:a3:7f:d2:0e:0c:49:4a:d2:98:
        74:6f:0b:6e:98:1f:9d:7c:ee:e3:2c:3f:ee:df:05:86:b4:29:
        62:18:2a:d3:8c:b1:b6:ec:a5:9b:ca:08:19:84:4c:ad:18:d6:
        c4:21:e4:82:11:0f:c6:16:ca:85:ce:92:05:9d:7b:3a:7c:01:
        5c:cc:f7:ce:c1:36:1a:09:c8:c5:1b:0f:cd:a3:20:89:82:ff:
        78:20:b1:4e:34:68:a9:9a:a3:1b:5f:10:e1:96:61:dd:ab:55:
        5b:51:32:13:b7:ff
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️