title: Enabling SSL on CentOS Directory Server link: https://onemoretech.wordpress.com/2009/11/03/enabling-ssl-on-centos-directory-server/ author: lembobro description: post_id: 218 created: 2009/11/03 02:47:39 created_gmt: 2009/11/03 02:47:39 comment_status: open post_name: enabling-ssl-on-centos-directory-server status: publish post_type: post

Enabling SSL on CentOS Directory Server

This will be a short post, since the published documentation from Red Hat is excellent and really needs no explaining.

Basically there’s a 5 step process involved in getting the Directory Server to support LDAPS (LDAP over SSL) connections:

1. Create a certificate request;

2. Submit the request to obtain a signed certificate from your CA (Certificate Authority), retrieve this and your CA’s root (and any Intermediate) certificate.

3. Install your CA’s root (and any Intermediate) certificate in the Directory Server as a Trusted source;

4. Install the signed certificate you obtained from the CA in the Directory Server;

5. Enable SSL on the Directory and recycle the daemon.

All the above steps except #2 are covered in detail by the under chapter 12, Managing SSL of the Red Hat Directory Server documentation, so I’ll just give some hints and tips here.

First, I use a bona fide free (as in beer) CA for all my certificates, cacert.org. It’s not hard to establish an account that gives you the right to obtain as many certificates as often as you need, absolutely free of charge (of course donations are encouraged).

Sometimes exporting or importing certificates with the Directory Console doesn’t work too good. Because of this I usually just copy and past the certificate text into the windows of the console interface. Ditto for requesting and retrieving certs on the cacert.org site.

If an existing install of the directory server is rebuilt, even on the same host with the same name, you’ll need to generate a brand new certificate request for it. The old certs will not work. Just try importing one and see.

Even when using the cut-and-past method, I always make an extra copy into a plain text file as a way of documenting what was done (and yes, cacert.org also maintains copies of issued certificates in their db).

The administration server has to be separately enabled for SSL, and requires a separate cert request and its own signed certificates.

Somewhere in the process a pin.txt file needs to get installed alongside the server certificates so that the SSL-enabled server can be automatically restarted on reboot, etc. Without a properly formatted pin.txt file the server will prompt for the certificate password when coming up. On a restart after reboot this will obviously lead to the server failing to start.

Here are the locations of files to make notes of:

/etc/dirsrv/slapd-[instance name]
This is where the certificates for the directory instance are stored, as well as its pin.txt file. It’s also where the main configuration file for the directory instance, dse.ldif
lives.

/etc/dirsrv/admin-serv
This is where the certificates for the admin serverare stored, as well as itspin.txt file. It’s also where the config files for the admin server live.

/var/log/dirsrv
Where the logs for the administration and directory servers live.

/var/lib/dirsrv
Location of all directory databases and backup files, under subdirectories named for the instance, like /var/lib/dirsrv/slapd-newserver.

Once again, the Red Hat doc does a very good job of explaining how the test everything. In my case Apache Directory Studio worked just fine as an LDAPS client once my directory was enabled. All I had to do was check the box for an encrypted connection and change the port to 636 (the default port for LDAPS).

Copyright 2004-2019 Phil Lembo