Re: [ApacheDS] Ceritficate for StartTLS

[Pieter Neerincx <pi...@gmail.com>]

Hi Stefan,

I'm having the same problem and learned the hard way that storing the certificate + private key in the DS is not a smart thing to do. If you make a mistake as I apparently did, the server will refuse to start, so I basically locked myself out. Or at least I don't know how to change the values without Apache Directory Studio. Fortunately that was just a test instance and no production server (yet) :). I have an OpenSSL certificate, which I managed to convert into a keystore that I hope I can use with a future version of ApacheDS, but for the time being I would appreciate any advise on how to extract the certificate + keys from the keystore in the right format for the Admin Entry...

Cheers,

Pieter


> Stefan Seelmann wrote on Wed, 06 Jan 2010 04:29:18 -0800
> 
> Hi Matthias,
> 
> Matthias Cramer wrote:
> 
>     As it looks like, the starttls extension does not honor the keystore
>     configured in the ldapServer config.
> 
> Yes, you are right. I just checked the source code and the configured keystore in server.xml isn't used for StartTLS extended operation :-/
> 
> You could find the certificate and key that is use in the Admin Entry (uid=admin,ou=system):
> 
> dn: uid=admin,ou=system
> keyAlgorithm: RSA
> privateKey:: ...
> privateKeyFormat: PKCS#8
> publicKey:: ...
> publicKeyFormat: X.509
> userCertificate:: ...
> ...
> 
> 
> What you need to do is to extract the private key, public key and certificate from your keystore and replace the attributes privateKey, publicKey and userCertificate with those guys. You could use Portacle and OpenSSL to extract those information. If you need further help don't hesitate to ask.
> 
> Not very user friendly right now...
> 
> Kind Regards,
> Stefan

-------------------------------------------------------------
mobile: +31 6 143 66 783
e-mail: pieter.neerincx@gmail.com
skype:  pieter.online
-------------------------------------------------------------

Re: [ApacheDS] Ceritficate for StartTLS

[Alex Karasulu <ak...@gmail.com>]

On Tue, Apr 27, 2010 at 7:34 PM, Pieter Neerincx
<pi...@gmail.com>wrote:

> Hi Stefan,
>
> I'm having the same problem and learned the hard way that storing the
> certificate + private key in the DS is not a smart thing to do. If you make
> a mistake as I apparently did, the server will refuse to start,


Can you outline how this happens for you? We need to make sure that if this
happens the server is still able to start so you can change that cert.
 Please get back to us or file a JIRA on this and we'll make sure this
problem goes away.

Regards,
Alex



> so I basically locked myself out. Or at least I don't know how to change
> the values without Apache Directory Studio. Fortunately that was just a test
> instance and no production server (yet) :). I have an OpenSSL certificate,
> which I managed to convert into a keystore that I hope I can use with a
> future version of ApacheDS, but for the time being I would appreciate any
> advise on how to extract the certificate + keys from the keystore in the
> right format for the Admin Entry...
>
> Cheers,
>
> Pieter
>
>
> > Stefan Seelmann wrote on Wed, 06 Jan 2010 04:29:18 -0800
> >
> > Hi Matthias,
> >
> > Matthias Cramer wrote:
> >
> >     As it looks like, the starttls extension does not honor the keystore
> >     configured in the ldapServer config.
> >
> > Yes, you are right. I just checked the source code and the configured
> keystore in server.xml isn't used for StartTLS extended operation :-/
> >
> > You could find the certificate and key that is use in the Admin Entry
> (uid=admin,ou=system):
> >
> > dn: uid=admin,ou=system
> > keyAlgorithm: RSA
> > privateKey:: ...
> > privateKeyFormat: PKCS#8
> > publicKey:: ...
> > publicKeyFormat: X.509
> > userCertificate:: ...
> > ...
> >
> >
> > What you need to do is to extract the private key, public key and
> certificate from your keystore and replace the attributes privateKey,
> publicKey and userCertificate with those guys. You could use Portacle and
> OpenSSL to extract those information. If you need further help don't
> hesitate to ask.
> >
> > Not very user friendly right now...
> >
> > Kind Regards,
> > Stefan
>
> -------------------------------------------------------------
> mobile: +31 6 143 66 783
> e-mail: pieter.neerincx@gmail.com
> skype:  pieter.online
> -------------------------------------------------------------
>
>


-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu