11.2. Obtaining and Installing Server Certificates

11.2. Obtaining and Installing Server Certificates

Before the Directory Server can be set to run in TLS/SSL, server and CA certificates must be properly configured in the Directory Server. If a server certificate has already been generated for the Directory Server instance and the issuing certificate authority (CA) is already trusted by the Directory Server, begin setting up TLS/SSL as described in Section 11.4, “Starting the Server with SSL Enabled”.

Obtaining and installing certificates consists of the following steps:

  1. Generate a certificate request.

  2. Send the certificate request to a certificate authority.

  3. Install the server certificate.

  4. Set the Directory Server to trust the certificate authority.

  5. Confirm that the certificates are installed.

Two wizards automate the process of creating a certificate database and of installing the key-pair. The Certificate Request Wizard in the Directory Server Console can generate a certificate request and send it to a certificate authority. The Certificate Install Wizard in the Directory Server Console can then install the server certificate and the CA certificate.

11.2.1. Step 1: Generate a Certificate Request

Generate a certificate request, and send it to a CA. The Directory Server Console has a tool, the Certificate Request Wizard, which generates a valid certificate request to submit to any certificate authority (CA).

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.

  2. Select the Server Certs tab, and click the Request button. This opens the Certificate Request Wizard.

  3. Click Next.

  4. Enter the Requester Information in the blank text fields, then click Next.

    • Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS and reverse DNS lookups; for example, dir.example.com. The server name is critical for client-side validation to work, which prevents man-in-the-middle attacks.

    • Organization. Enter the legal name of the company or institution. Most CAs require this information to be verified with legal documents such as a copy of a business license.

    • Organizational Unit. Optional. Enter a descriptive name for the organization within the company.

    • Locality. Optional. Enter the company's city name.

    • State or Province. Enter the full name of the company's state or province (no abbreviations).

    • Country. Select the two-character abbreviation for the country's name (ISO format). The country code for the United States is US.

  5. Enter the password that will be used to protect the private key, and click Next.

    The Next button is grayed out until a password is supplied.

  6. The Request Submission dialog box provides two ways to submit a request: directly to the CA (if there is one internally) or manually. To submit the request manually, select Copy to Clipboard or Save to File to save the certificate request which will be submitted to the CA.

  7. Click Done to dismiss the Certificate Request Wizard.

After generating the certificate request, send it to the CA.

11.2.2. Step 2: Send the Certificate Request

After the certificate request is generated, send it to a certificate authority (CA); the CA will generate return a server certificate.

  1. Most certificate requests are emailed to the CA, so open a new message.

  2. Copy the certificate request information from the clipboard or the saved file into the body of the message.

    -----BEGIN NEW CERTIFICATE REQUEST----- 
    MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1J 
    OSUExLDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF 
    0aW9uMRwwGgYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSI 
    b3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7 
    ug0EfgSLR0f+K41eNqqRftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n 
    /zMyahxtV7+mT8GOFFigFfuxaxMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N 
    9YdbjveMVXW0v4XwIDAQABoAAwDQYK 
    ------END NEW CERTIFICATE REQUEST-----
    
  3. Send the email message to the CA.

After emailing the certificate request, wait for the CA to respond with the server certificate. Response time for requests varies. For example, if the CA is internal to the company, it may only take a day or two to respond to the request. If the selected CA is a third-party, it could take several weeks to respond to the request.

After receiving the certificate, install it in the Directory Server's certificate database. When the CA sends a response, be sure to save the information in a text file. The certificate must be available to install in the Directory Server.

Also, keep a backup of the certificate data in a safe location. If the system ever loses the certificate data, the certificate can be reinstalled using the backup file.

11.2.3. Step 3: Install the Certificate

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.

  2. Select the Server Certs tab, and click Install.

  3. Give the certificate location or paste the certificate text in the text box, then click Next.

    • In this file. Enter the absolute path to the certificate in this field.

    • In the following encoded text block. Copy the text from the CA's email or from the created text file, and paste it in this field.

  4. Check that the certificate information displayed is correct, and click Next.

  5. Give a name to the certificate, and click Next.

  6. Provide the password that protects the private key. This password is the same as the one provided in step 5 in Section 11.2.1, “Step 1: Generate a Certificate Request”.

After installing the server certificate, configure the Directory Server to trust the CA which issued the server's certificate.

11.2.4. Step 4: Trust the Certificate Authority

Configuring the Directory Server to trust the certificate authority consists of obtaining the CA's certificate and installing it into the server's certificate database. This process differs depending on the certificate authority. Some commercial CAs provide a web site that allow users to automatically download the certificate. Others will email it back to users.

After receiving the CA certificate, use the Certificate Install Wizard to configure the Directory Server to trust the certificate authority.

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.

  2. Go to the CA Certs tab, and click Install.

  3. If the CA's certificate is saved to a file, enter the path in the field provided. Alternatively, copy and paste the certificate, including the headers, into the text box. Click Next.

  4. Check that the certificate information that opens is correct, and click Next.

  5. Name the certificate, and click Next.

  6. Select the purpose of trusting this certificate authority; it is possible to select both options:

    • Accepting connections from clients (Client Authentication). The server checks that the client's certificate has been issued by a trusted certificate authority.

    • Accepting connections to other servers (Server Authentication). This server checks that the directory to which it is making a connection (for replication updates, for example) has a certificate that has been issued by a trusted certificate authority.

  7. Click Done.

Once both the server and CA certificates are installed, it is possible to configure the Directory Server to run in TLS/SSL. However, Red Hat recommends verify ingthat the certificates have been installed correctly.

11.2.5. Step 5: Confirm That The New Certificates Are Installed

  1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.

  2. Select the Server Certs tab.

    A list of all the installed certificates for the server opens.

  3. Scroll through the list. The certificates installed previously should be listed.

It is now possible to set up the Directory Server to run in TLS/SSL.

NOTE

When renewing a certificate using the Certificate Wizard, the text on the introduction screen does not clearly indicate that the process is renewal and not requesting a new certificate. Also, the requester information is not filled in automatically.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.