Publishing User Certificates to LDAP Server - dogtagpki/pki GitHub Wiki
This page describes the process to configure CA to publish user certificates to an LDAP server.
Prepare the users subtree:
$ ldapadd \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 dn: ou=people,dc=pki,dc=example,dc=com objectClass: organizationalUnit ou: people
Prepare the users, for example:
$ ldapadd \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 dn: uid=testuser,ou=people,dc=pki,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: testuser cn: Test User sn: User
The user certificate publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
.
To configure the LDAP connection:
$ pki-server ca-config-set ca.publish.ldappublish.enable true $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host $HOSTNAME $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 389 $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager" $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.clientCertNickname ""
To configure LDAP-based user certificate publisher:
$ pki-server ca-config-set ca.publish.publisher.instance.LdapUserCertPublisher.certAttr "userCertificate;binary" $ pki-server ca-config-set ca.publish.publisher.instance.LdapUserCertPublisher.pluginName LdapUserCertPublisher
To configure user certificate mapper:
$ pki-server ca-config-set ca.publish.mapper.instance.LdapUserCertMap.dnPattern "uid=\$subj.UID,ou=people,dc=pki,dc=example,dc=com" $ pki-server ca-config-set ca.publish.mapper.instance.LdapUserCertMap.pluginName LdapSimpleMap
To configure user certificate publishing rule:
$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.enable true $ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.mapper LdapUserCertMap $ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.pluginName Rule $ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.predicate "" $ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.publisher LdapUserCertPublisher $ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.type certs
To enable publishing:
$ pki-server ca-config-set ca.publish.enable true
Finally, restart the server.
Submit a certificate request for a user, for example:
$ pki client-cert-request uid=testuser
Approve the request:
$ pki -n caadmin ca-cert-request-approve <request ID> --force
To retrieve the published user certificate:
$ ldapsearch \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ -b uid=testuser,ou=people,dc=pki,dc=example,dc=com \ -t dn: uid=testuser,ou=people,dc=pki,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top uid: testuser cn: Test User sn: User userCertificate;binary:< file://<path>
To view the published user certificate:
$ openssl x509 \ -in <path> \ -inform DER \ -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b6:0a:d9:f8:f3:b4:c0:a5:b0:8c:ca:0d:00:44:ee:f8 Signature Algorithm: sha256WithRSAEncryption Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate Validity Not Before: Aug 31 15:58:29 2022 GMT Not After : Feb 27 16:58:29 2023 GMT Subject: UID = testuser Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c5:0e:0e:6f:10:4f:32:be:8e:81:37:6d:cf:89: fe:d8:4a:0c:bd:bf:1c:a2:af:60:25:ee:3a:9e:47: ef:96:6f:20:1f:46:2e:70:67:29:ed:76:02:11:8a: c5:1c:fe:3f:b3:ec:f3:4c:11:c2:04:6d:0d:cb:1a: 07:0f:ec:c0:08:10:b4:e6:b8:91:d6:bb:dc:9a:f5: 6f:75:22:b0:1a:59:44:84:6f:2a:76:9f:01:09:30: 6e:14:5c:ab:5c:a5:25:af:7e:b5:ed:79:f0:38:da: b3:df:87:71:02:2c:3a:93:b6:d9:9e:8f:87:2c:f3: 81:21:cc:74:a8:a1:74:e8:8d:1b:ea:ab:cd:f3:23: bc:92:09:42:aa:4f:0b:1b:c8:c9:58:c5:75:72:c9: d5:56:48:5f:7a:25:8a:2d:45:41:09:47:59:79:b5: fa:6b:9c:82:ae:c4:93:4a:d7:5f:11:f7:64:89:83: c1:fa:6e:6a:87:ef:83:74:f3:f5:4c:b7:cf:46:94: 70:b3:4e:1b:2d:f8:6f:e0:f1:9f:1e:07:82:98:65: 93:dc:cc:ae:8d:8d:b4:7e:e6:b9:ae:6c:c1:e5:06: 1a:92:d3:31:11:47:e1:b4:5b:6f:58:9a:a3:97:f4: 2f:70:2a:4f:4a:bf:7b:b3:47:89:bd:2e:05:d8:6e: 1a:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:0E:9F:2D:3B:AC:81:50:91:A0:2B:70:22:98:A7:D2:74:1C:15:9E:40 Authority Information Access: OCSP - URI:http://pki.example.com:8080/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection Signature Algorithm: sha256WithRSAEncryption 1b:b8:51:40:81:1a:4b:54:c3:98:3e:b2:2e:75:89:0b:b9:e5: 75:13:0b:15:c5:c6:e4:37:5e:92:78:74:5c:7d:a4:cf:d9:f9: c4:d3:64:3e:06:ab:10:51:b3:4f:b7:2a:65:26:5f:d8:35:2f: da:84:c7:27:23:0a:c1:be:60:67:e7:ce:f1:83:7e:98:e2:68: c3:76:42:8c:da:1a:52:f1:99:ce:91:97:79:1a:5f:09:9c:68: 6b:1b:26:59:29:02:09:8e:91:13:5d:bc:42:55:23:85:31:91: fc:6d:c1:2d:7e:b6:46:1b:d8:5a:0a:78:a0:dd:ca:fa:a5:df: 8c:2d:68:01:ac:23:27:30:05:c9:f9:ff:f5:67:b9:dc:87:10: f6:26:de:26:54:2a:7a:db:ec:db:04:01:52:da:d4:0a:ed:04: cb:52:e1:09:39:a5:12:e5:7a:a3:c1:6f:5d:9d:cd:77:58:ce: 0d:86:ea:9c:28:c3:11:48:b2:94:0e:07:a3:4a:87:04:88:93: a7:a1:e6:49:5c:81:61:4d:81:ae:67:15:0d:1b:c0:cf:2e:d0: a1:b9:56:b7:b9:16:01:db:ba:c6:9c:a0:11:bc:1c:40:ab:62: 95:22:52:13:c5:d8:59:08:f3:98:f9:9a:8c:81:ee:c8:f9:ae: c4:09:6d:b6:e9:0d:f8:5d:9b:5b:1d:41:6e:3d:c9:7c:70:aa: e7:1f:71:59:b0:86:b5:30:30:74:00:4f:12:2a:f6:44:ae:02: fa:5c:bd:c5:ba:cb:70:5f:38:ae:bb:86:5c:e2:0c:79:6e:0a: ab:f5:1d:70:06:e5:a7:96:0e:18:99:78:6d:3f:6e:bd:dc:d7: 35:ac:1b:6b:27:0a:e2:13:3b:5f:bf:ca:67:fb:ef:c8:29:57: ec:ee:8f:4e:b4:03:f1:8b:49:15:68:e0:f5:94:a0:b7:b5:96: f6:32:14:8e:9c:98:99:73:44:8f:fa:95:b1:9b:22:13:21:1f: df:dd:5b:40:5a:61