Difference between revisions of "Enabling Client Certificate Authentication with Internal Database"

From Dogtag
Jump to: navigation, search
m (Configuring Certificate Mapping in DS)
(Configuring Certificate Mapping in DS)
Line 33: Line 33:
example:verifycert      on
example:verifycert      on
<font color=RED>NOTE:  Replace <b>CN=CA Signing Certificate,O=EXAMPLE</b> with the value of the "Subject:" entry from <b>certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-tomcat CA"</b>!</font>
Restart the DS server:
Restart the DS server:

Revision as of 23:19, 18 September 2015


This document describes the procedure to enable client certificate authentication PKI server and the internal database.


Configuring Certificate Mapping in DS

Export PKI server's CA certificate into a PEM file:

$ certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-tomcat CA" -a > pkica.pem

Import the PEM file into DS server's NSS database:

$ certutil -A -d /etc/dirsrv/slapd-pki-tomcat -n "PKI CA certificate" -t "CTu,u,u" -i pkica.pem

Verify with the following command:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat

Configure DS certificate mapping in /etc/dirsrv/slapd-pki-tomcat/certmap.conf:

certmap example         CN=CA Signing Certificate,O=EXAMPLE
example:CmapLdapAttr    seeAlso
example:verifycert      on
    NOTE: Replace CN=CA Signing Certificate,O=EXAMPLE with the value of the "Subject:" entry from certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-tomcat CA"!

Restart the DS server:

$ systemctl restart dirsrv@pki-tomcat.service

Verify that the client certificate exists in PKI server's NSS database:

$ certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-tomcat"

On Fedora, verify with openldap-clients compiled with OpenSSL:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "Directory Server CA certificate" -a > dsca.pem
$ pki -d /var/lib/pki/pki-tomcat/alias -C /var/lib/pki/pki-tomcat/conf/password.conf \
    client-cert-show "subsystemCert cert-pki-tomcat" --cert subsystem.pem --private-key subsystem.key
$ echo TLS_CACERT dsca.pem > ldaprc
$ echo TLS_CERT subsystem.pem >> ldaprc
$ echo TLS_KEY subsystem.key >> ldaprc
$ ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 \
    -b "dc=example,dc=com" "(objectClass=*)"

On RHEL, get the NSS database password:

$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}'

then verify with openldap-clients compiled with NSS:

$ LDAPTLS_CACERTDIR=/var/lib/pki/pki-tomcat/alias LDAPTLS_CERT="subsystemCert cert-pki-tomcat" \
    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 \
    -b "dc=example,dc=com" "(objectClass=*)"

Configuring Client Certificate Authentication in PKI Server

Configure PKI server to use the client certificate by editing the CS.cfg:

internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-tomcat

Restart PKI server:

$ systemctl restart pki-tomcatd@pki-tomcat.service

Verify that PKI server authenticates against the DS using client certificate with the following command:

$ pki cert-find