From 150b0b01453da1b6e79057fbfd7ab1375c9db685 Mon Sep 17 00:00:00 2001
From: Amrita Sakthivel <amrita.sakthivel@suse.com>
Date: Wed, 12 Jul 2023 23:12:08 +0530
Subject: [PATCH] BZ1212001: draft content (#1543)

* draft content

* implement partial technical review feedback

* tech review feedback

* style feedback
---
 xml/security_ldap_ca.xml | 71 ++++++++++++++++++++--------------------
 1 file changed, 36 insertions(+), 35 deletions(-)

diff --git a/xml/security_ldap_ca.xml b/xml/security_ldap_ca.xml
index 523f5eb851..d3853d5685 100644
--- a/xml/security_ldap_ca.xml
+++ b/xml/security_ldap_ca.xml
@@ -34,56 +34,57 @@
     certificate, and a root certificate.
   </para>
  <procedure>
-  <para>
-  Before you can import an existing private key and certificate into the NSS
-  database, you need to create a bundle of the private key and the server
-  certificate. This results in a <filename>*.p12</filename>
-  file.
-  </para>
   <important>
-  <title><filename>*.p12</filename> file and friendly name</title>
-  <para>
-   When creating the PKCS12 bundle, you must encode <literal>Server-Cert</literal>
-   as the friendly name in the <filename>*.p12</filename> file.
-   Otherwise the TLS connection will fail, because the &ds389; searches for
-   this exact string.
-  </para>
   <para>
-    The friendly name cannot be changed after you
-    import the <filename>*.p12</filename> file into the NSS
-    database.
+  The Mozilla NSS (Network Security Services ) toolkit uses nicknames for certificates in the certificate store.
+  The server certificate uses the nickname <emphasis>Server-Cert</emphasis>.
   </para>
- </important>
+  </important>
  <step>
   <para>
-   Use the following command to create the PKCS12 bundle with the required friendly name:
+   Use the following commands to remove the Self-Signed-CA and Server-Cert from the instance:
   </para>
-<screen>&prompt.sudo;<command>openssl pkcs12 -export -in <replaceable>SERVER.crt</replaceable></command> \
-<command>-inkey <replaceable>SERVER.key</replaceable></command> \
-<command>-out <replaceable>SERVER.p12</replaceable> -name Server-Cert</command></screen>
+<screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Self-Signed-CA</command>
+&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Server-Cert
+</command>
+</screen>
+
   <para>
-   Replace <replaceable>SERVER.crt</replaceable> with the server certificate
-   and <replaceable>SERVER.key</replaceable> with the private key to be bundled.
-   Use <option>-out</option> to specify the name of the <filename>*.p12</filename>
-   file. Use <option>-name</option> to set the friendly name, which must be
-   <literal>Server-Cert</literal>.
+   Replace <replaceable>INSTANCE_NAME</replaceable> with the instance name of the directory server.
+   This is LDAP1 in the previous sections.
   </para>
  </step>
  <step>
    <para>
-     Before you can import the file into the NSS database, you need to
-     obtain its password. The password is stored in the
-     <filename>pwdfile.txt</filename> file in the
-     <filename>/etc/dirsrv/slapd-<replaceable>INSTANCE-NAME/</replaceable></filename> directory.
+    Import the CA that has signed your certificate.
    </para>
+   <screen>&prompt.sudo;<command>sudo dsctl <replaceable>INSTANCE_NAME</replaceable> tls import-ca
+   /path/to/CA/in/PEM/format/CA.pem  <replaceable>NICKNAME_FOR_CA</replaceable>
+</command>
+</screen>
+<para>Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.
+Replace <literal>/path/to/CA/in/PEM/format/CA.pem</literal> with the full path to the CA certificate file in the PEM format.
+Replace <literal>NICKNAME_FOR_CA </literal> with a nickname for the CA. </para>
  </step>
  <step>
   <para>
-   Now import the <replaceable>SERVER.p12</replaceable> file
-   into your &ds389a; NSS database:
+   Import the server certificate and the key for the certificate.
   </para>
-  <screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Self-Signed-CA</command>
-&prompt.sudo;<command>pk12util -i <replaceable>SERVER.p12</replaceable> -d /etc/dirsrv/slapd-<replaceable>INSTANCE-NAME</replaceable>/cert9.db</command></screen>
- </step>
+  <screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls import-server-key-cert
+  <replaceable>/path/to/SERVER.pem</replaceable> <replaceable>/path/to/SERVER.key</replaceable></command>
+  </screen>
+  <para> Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.
+Replace <literal>/path/to/SERVER.pem</literal> with the full path to the server certificate in PEM format.
+Replace <literal>/path/to/SERVER.key</literal> with the full path to the server certificate key file in the PEM format.
+</para>
+</step>
+<step>
+  <para>
+   Restart the instance so that the new certificates are used.
+  </para>
+  <screen>&prompt.sudo;<command>systemctl restart dirsrv@<replaceable>INSTANCE-NAME.</replaceable>.service
+</command> </screen>
+<para>Replace  <literal>INSTANCE_NAME</literal> with the instance name of the directory server.</para>
+</step>
  </procedure>
  </sect1>