Skip to content

Enabling SSL Connection in DS

Jump to bottom
Endi S. Dewata edited this page Mar 23, 2021 · 9 revisions

Overview

This page describes the process to enable SSL connection in DS using a self-signed signing certificate and server certificate created using PKI NSS CLI commands.

This page assumes that a DS instance named localhost already exists, it does not have certificates, and the SSL connection is disabled.

Creating DS Signing Certificate

First, generate DS signing CSR with the following command:

$ pki \
    -d /etc/dirsrv/slapd-localhost \
    -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-request \
    --subject "CN=DS Signing Certificate" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ds_signing.csr

Next, issue DS signing certificate:

$ pki \
    -d /etc/dirsrv/slapd-localhost \
    -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-issue \
    --csr ds_signing.csr \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --cert ds_signing.crt

Finally, import DS signing certificate:

$ pki \
    -d /etc/dirsrv/slapd-localhost \
    -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-import \
    --cert ds_signing.crt \
    --trust CT,C,C \
    Self-Signed-CA

To verify the DS signing certificate:

$ certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA

Creating DS Server Certificate

First, generate DS server CSR with the following command:

$ pki \
    -d /etc/dirsrv/slapd-localhost \
    -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-request \
    --subject "CN=pki.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr ds_server.csr

Next, issue DS server certificate:

$ pki \
    -d /etc/dirsrv/slapd-localhost \
    -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-issue \
    --issuer Self-Signed-CA \
    --csr ds_server.csr \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --cert ds_server.crt

Finally, import DS server certificate:

$ pki \
    -d /etc/dirsrv/slapd-localhost \
    -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-import \
    --cert ds_server.crt \
    Server-Cert

To verify the DS server certificate:

$ certutil -L -d /etc/dirsrv/slapd-localhost -n Server-Cert

Enabling SSL Connection

To enable SSL connection in the DS instance:

$ dsconf localhost config replace nsslapd-security=on

Finally, restart the DS instance:

$ dsctl localhost restart
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally