1. Create a CA root certificate:
Note: Either you can use the your existing CA root else follow these procedure for creating a CA root certificate
2. Create a CSR for the SunLDAP server:
Using dsadm to create CSR for the SunLDAP server. Login to the server installed with SunLDAP
# cd /opt/sun/ds6/bin ### for RHAS 4 and /opt/SUNWdsee/ds6/bin for Solaris
#./dsadm request-cert –name ldaps://sun-ldapserver.com:636 –org SMI –org-unit SMI –city Bangalore –state Karnataka –country IN -F ascii -o /tmp/newreq.pem /var/opt/sun/dsins1 ### refer dsadm man for more info
# ls /tmp/newreq.pem
newreq.pem
Note: “-F ascii” is needed for the CA to sign the request
3: Use the CA to sign the CSR:
Use the CA created in step 1 to sign the CSR
Note: Refer signing CSR using CA
4: Enabling SSL for SunLDAP:
After completing the above procedures, we’ll be having the following certificates which needs to be added to the directory instance repository,
cacert.pem – CA Root certificate
newcert.pem – ldapserver certificate ( ldaps://hostname:port-no.)
1.Copy the certificates to the /tmp dir
2.Login to the server and change directory
# cd /opt/sun/ds6/bin ### for RHAS 4 and /opt/SUNWdsee/ds6/bin for Solaris
3.Add the server certificate
# ./dsadm add-cert <instance path> <cert-alias> < certpath >
# ./dsadm add-cert /var/opt/sun/dsins1 server-cert /tmp/newcert.pem
4.Add the CA root certificate
# ./dsadm add-cert -C <instance path> <cert-alias> < certpath >
# ./dsadm add-cert -C /var/opt/sun/dsins1 theCARoot /tmp/cacert.pem
5.Set the server properties to use the newly added server certificate
# ./dsconf set-server-prop -e -p non-ssl-port ssl-rsa-cert-name:<certificate alias>
# ./dsconf set-server-prop -e -p 389 ssl-rsa-cert-name:server-cert ### alias for server cert
6.Restart the DS for changes to get into effect
# ./dsadm restart instance path
# ./dsadm restart /var/opt/sun/dsins1
7.Now stop the DS and remove the default Cert (this ensures that the above generated certificate will be the default cert)
# ./dsadm stop instancepath
# ./dsadm stop /var/opt/sun/dsins1
8.Now remove the default certificate
# ./dsadm remove-cert instance-path cert-alias
# ./dsadm remove-cert /var/opt/sun/dsins1 defaultCert
In case you want to export the above default cert, following is the command
# ./dsadm export-cert -o /<any path>/slapd-cert.export instance-path <original default cert alias>
where o=output file
9.Now start the server to use the ssl certificate created by us.
# ./dsadm start instance-path
# ./dsadm start /var/opt/sun/dsins1
10. Check using any ldap browser to the ports 389 and 636.
I have found that I need to use certutil to add Root certs to the Directory, so that trust flags (CT) are set appropriately:
# /usr/sfw/bin/certutil –A –n CA –t CT,, -d /var/opt/SUNWdsee/dsins1/alias –i /tmp/CACert
#/usr/sfw/bin/certutil -L -P slapd- -d /var/opt/SUNWdsee/dsins1/alias
defaultCert CTu,u,u
servercert u,u,u
RootCA CT,,
Thanks hari, I am able to configure Sunone LDAP 6.0 as well as 6.3 with the above steps. thanks a ton !!