*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  Linux HOWTOs -> Publishing digital certificates with LDAP              
Publishing digital certificates with LDAP

9. Publishing digital certificates with LDAP

This section focuses on how to publish digital certificates into an ldap server. You need to publish digital certificates if you run a Certificaton Authority. Publishing to LDAP is a simple way to make this information available in the network .Also many certificate aware software uses LDAP as a preferred repository for user certificates.

This allows to keep users certificates with the rest of the user information avoiding useless replication of data.

To deal with certificates you need a cryptographic toolkit, the one used here is OpenSSL.

9.1. LDAP Server configuration

The LDAP server used here is OpenLDAP 2.0.x.

Your LDAP server must support objectclasses that allows attributes to store certificates. In particular you need to store in the LDAP server the Certification Authority certificate, the Certificate Revocation List, the Authority Revocation List and end users certificates.

The certificationAuthority objectclass implements the authorityRevocationList, certificateRevocationList and cACertificate attributes.

The inetOrgPerson objectclass supports the usercertificate (binary) attribute.

You can also use the mix-in objectclass strongAuthenticationUser to add certificates to non inetOrgPerson entries.

You can include required schemas to OpenLDAP including the following schemas into your slapd.conf file.

include        /usr/local/etc/openldap/schema/core.schema 
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema

9.2. Certificate Publishing

Certificates are encoded using ASN.1 DER (Distingushed Encoding Rules). So it must be published into the LDAP server as a binary piece of data (using BER encoding).

You can convert a pem certificate into der format using openssl

openssl x509 -outform DER -in incert.pem  -out outcert.der

Then an LDIF file can be created using the ldif utility provided with OpenLDAP. The command:

ldif -b "usercertificate;binary" < outcert.der   > cert.ldif

creates an usercertificate attribute encoded in BASE64. You can add this certificate to an LDIF entry and then use ldapmodify to add the certificate to an entry.

ldapmodify -x -W -D "cn=Manager,dc=yourorg,dc=com" -f cert.ldif 

Where cert.ldif contains something like:

dn: cn=user,ou=people,dc=yourorg,dc=com
changetype: modify
add: usercertificate
usercertificate;binary:: MIIC2TCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBGMQswCQYD

It is also possible to specify the certificate in the LDIF file as:

userCertificate;binary:< file:///path/to/cert.der

9.3. LDAP Aware Clients

Once you stored certificates in the server you may wonder to retrieve them.

Among other clients, Netscape has supprt to retrieve certificates automatically from an LDAP server. Using the Security Panel-->User Certificates-->Search Directory; you can search for certificates in the LDAP dierctory and have them automatically installed in your Netscape certificate database.

Another client that has good support for certificates is web2ldap www.web2ldap.de

Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service