[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Creating the cert7.db for use with pam_ldap
From:       Richard Gilbert <R.Gilbert () sheffield ! ac ! uk>
Date:       2001-09-20 15:57:11
[Download RAW message or body]

I am using a self-signed CA certificate for signing directory server
certificates.

Up until now I have been using the trick of pointing a (Netscape) browser
at the directory server's SSL port, e.g. https://auth1.shef.ac.uk:636, and
going through the New Site Certificate dialogue.  The resulting cert7.db
can then be copied to the pam_ldap client.  If one wants to use multiple
directory servers for resilience then the above has to be repeated for
each server.

I have been playing with Netscape's PKCS #11 Utility Package (1.0.6).
This contains a Certificate Database Tool (certutil).  Using this I was
able to see that the cert7.db created using the method above contains the
directory servers' certificates (as trusted peers).  It seemed to me that
it would be better neater if I could get my CA certificate into a cert7.db
file.  This could then be used to accept any server certificate which I
had signed.  I was able to do this as follows:

1. Create a new key3.db key database (in the current dirctory) -- it will
   ask for a database password:

   ./keyutil -N

2. Create a new cert7.db certificate database (in the current dirctory):

   ./certutil -N

3. Add my CA certificate (from the file ca.crt):

   ./certutil -A -n 'Sheffield Certificate Authority' -t 'CT,,' -i ca.crt

(The key3.db is needed for steps 2 & 3 but is not needed by the clients.)

The resulting cert7.db worked on the clients as expected.

Any comments?

Richard
--
Richard Gilbert
Corporate Information and Computing Services
University of Sheffield, Sheffield, S10 2TN, UK
Phone: +44 114 222 3028   Fax: +44 114 222 3040

[prev in list] [next in list] [prev in thread] [next in thread]