eDirectory PKI Server Cookbook

1 Likes
over 2 years ago

In this document, I plan to capture various use cases around eDirectory Certificate Server, eDirectory server certificates, and troubleshooting tips. This is intended to be a live document which will get updated with more information over time.

Download .pdf version here.

Table of Contents

    • How to examine eDirectory CA certificate

 

    • How to examine eDirectory server certificate

 

    • LDAP server certificate contents





 

How to examine eDirectory CA certificate

 



eDirectory versions 9.0 and later have two CAs - a RSA CA and a ECDSA CA.



These certificates are present in my eDirectory tree as attributes of the object and are made available here for convenience.



The certificate can be examined as follows:





This is the actual base64 encoded certificate stored in the .pem file

-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgIUf2XGI6I9zaBftA FUx2eWqK38MAwDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1Qt
VFJFRS0xMB4XDTE4MTIxMzEyMzQwN1oXDTI4MTIxMjEyMzQwN1owMjEaMBgGA1UE
CxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1QtVFJFRS0xMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9am80UODEX5EvwuadzGgAUVBFftJ
YOJLr9Ks/PRuydxX8O4mBQHM3xc LS7jR2foeMJIv/TEbXCA9zGpj7JWqGrsPVl
Kl8E4uSwPfE8YeZ/JvSzM2EOByP9MQDW/Rn/uXBLVogjCI7/bGpbI8FXf7MD11Xf
cfjKWkS2TWd0tvHTYwfzz 96MSPArOE1m2KEFEpE5JsZXv5l/68MKIzLWB1yyOq4
EC/Ocg6JWzFM7ZnpTvWt2ImDdCGKLyeFf56cSRnlT9Id0j6f0mcC5pufCw7gk/0R
ZM0uOcgGCyD1H3C08SoveNGpcWejmya2xgOuQnc/86WeYjFwAi6ioYYVbwIDAQAB
o4ICLzCCAiswHQYDVR0OBBYEFBoqPFu2x7eUAP4nd8GEAEA786wsMB8GA1UdIwQY
MBaAFBoqPFu2x7eUAP4nd8GEAEA786wsMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
AgEGMIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1
cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20v
cmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEA
MAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEA
AgEAogYCARgBAf jggEEoFgCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAA
AAAAAAAwGDAQAgEAAgh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////
AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAw
GDAQAgEAAgh//////////wEBAAIEEf ugTAYMBACAQACCH//////////AQEAAgQR
/66Bok4wTAIBAgICAP8CAQADDQCA//////////////8DCQCA/////////zASMBAC
AQACCH//////////AQH/MBIwEAIBAAIIf/////////8BAf8wDQYJKoZIhvcNAQEL
BQADggEBAJWmzUpmysfwqBgh3TzW72VBzIA/ZnlIxXU2uzfTUoQ UyUxtpuxyd/w
8Fs9y6R4ty4JJbC1Gdcx5et NnqszUlSXdNsnqwFW3ROFWm6LCNXJlG0o39ddoaP
sFgJC3oSU IIgICidbam/m6f/1a56oHwVl94gc6ds0ZuTSgZZSNZpPk5YTTDpV4l
pR/THp7Hip6HwKf917gNa7cnCP8HsYZ/z3IVOu1ReLEFHoN4HUFhUeOU0qNox2Am
bAlxptbvE5EK9nc68qhrhVx4zLT/4FR KoCoP6CfFiYPghZSr0S5Ttc6VoagYXyJ
Edpd6DHf0ZkOTh5nJVyQQBpfQ7u/wIc=
-----END CERTIFICATE-----



 

How to examine eDirectory server certificate

 



Note: For the following commands to work, run export LDAPTLS_REQCERT=never in the shell before executing the commands.

Server certificates are stored in eDirectory objects called Key Material Objects (KMOs). Following is how you locate the KMO.





 

LDAP server certificate contents

 



You can use the following command to see the LDAP server’s X509 certificate.




Copy/paste this into file server-cert.pem for examining.

-----BEGIN CERTIFICATE-----
MIIGvzCCBaegAwIBAgIUNQ0fNpmSeuj4GcMDl8wYKF2ZYpwwDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1Qt
VFJFRS0xMB4XDTE4MTIxNTEwMzQwOFoXDTIwMTIxNDEwMzQwOFowKzEUMBIGA1UE
ChMLVEVTVC1UUkVFLTExEzARBgNVBAMTCm0xLmZvby5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCvemycNaO6CI hItGZBw4qzPqHCvqHijkyjfCf
GU0AWz4Y w4jVgVFaFU3J9SiBgv7KtBRf9kAhHH8Um3TGgEuucxMqd7xFGnYIhom
pMS8Mnot77Ya4mQNvY/ShnaDnvdUMfaMkBNnTF56e4gNW1YWtz2WhfLwgxR91aug
wxxNiG2AZ6St2qMXjXwWk4XjUD9v/vTQRXddbhdbxgoBXqdsTQBKBmrlJYgqgVJs
fYHo/YqoVun/ggcRxkithXnup9IDE1twsJAFXrlO5VVfEZNstUsIWW9U/xBOQeHL
TpIePE1dl763Y8Ir7AKSL8jJDfyPala65q 4CSAx E89bzd/AgMBAAGjggPSMIID
zjAdBgNVHQ4EFgQUA/Bfib9lvx72tvq0EYsmP2o5xUcwHwYDVR0jBBgwFoAUGio8
W7bHt5QA/id3wYQAQDvzrCwwGwYDVR0RBBQwEocEwKg4ZoIKbTEuZm9vLmNvbTAL
BgNVHQ8EBAMCBaAwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92
ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0w
ggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAI
MAYCAQECAQACAQCiBgIBFwEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAA
AAADCQCAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAII
f/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBA
AAAAAAAAADAYMBACAQACCH//////////AQEAAgQR/66BMBgwEAIBAAIIf///////
//8BAQACBBH/roGiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAA
AAAAMBIwEAIBAAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADCCAZAG
A1UdHwSCAYcwggGDMCygKqAohiZodHRwOi8vMTkyLjE2OC41Ni4xMDI6ODAyOC9j
cmwvb25lLmNybDBgoF6gXIZabGRhcDovLzE5Mi4xNjguNTYuMTAyOjM4OS9DTj1P
bmUsQ049T25lJTIwLSUyMENvbmZpZ3VyYXRpb24sQ049Q1JMJTIwQ29udGFpbmVy
LENOPVNlY3VyaXR5MC2gK6AphidodHRwczovLzE5Mi4xNjguNTYuMTAyOjgwMzAv
Y3JsL29uZS5jcmwwYaBfoF2GW2xkYXBzOi8vMTkyLjE2OC41Ni4xMDI6NjM2L0NO
PU9uZSxDTj1PbmUlMjAtJTIwQ29uZmlndXJhdGlvbixDTj1DUkwlMjBDb250YWlu
ZXIsQ049U2VjdXJpdHkwX6BdoFukWTBXMQwwCgYDVQQDEwNPbmUxHDAaBgNVBAMT
E09uZSAtIENvbmZpZ3VyYXRpb24xFjAUBgNVBAMTDUNSTCBDb250YWluZXIxETAP
BgNVBAMTCFNlY3VyaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQDBnJMF8o96TQGhHDaG
AKwp2QRujWk7aW2lpz1xzC0zjNA7a684OYZjJhAAHDiLuva3fFtkLGRo7VvRqwhn
jrtzq2pz6OOBBruHQqGIL67c JYgSTI22NL8ljpn0dbEf0bHMdibcHSjY0hckIXF
NZG2TEglMwU/mnc037xBC1LAvtLXh1LnK7O2tqsrIk LwCteyPcxWhgcQotAakKF
WjuGgqSoz6l88vrT4c4IGvxeySPCykHoTc6qeEQpBX9TtenoD/AJRIjcv6HciqrQ
U1lDdCyemNirahzZH gEo JkmxsvPnFIX1ptMILb3AQ7ViayvRwHr1Ldl l7WbIt
NnPr
-----END CERTIFICATE-----





-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgIUf2XGI6I9zaBftA FUx2eWqK38MAwDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1Qt
VFJFRS0xMB4XDTE4MTIxMzEyMzQwN1oXDTI4MTIxMjEyMzQwN1owMjEaMBgGA1UE
CxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1QtVFJFRS0xMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9am80UODEX5EvwuadzGgAUVBFftJ
YOJLr9Ks/PRuydxX8O4mBQHM3xc LS7jR2foeMJIv/TEbXCA9zGpj7JWqGrsPVl
Kl8E4uSwPfE8YeZ/JvSzM2EOByP9MQDW/Rn/uXBLVogjCI7/bGpbI8FXf7MD11Xf
cfjKWkS2TWd0tvHTYwfzz 96MSPArOE1m2KEFEpE5JsZXv5l/68MKIzLWB1yyOq4
EC/Ocg6JWzFM7ZnpTvWt2ImDdCGKLyeFf56cSRnlT9Id0j6f0mcC5pufCw7gk/0R
ZM0uOcgGCyD1H3C08SoveNGpcWejmya2xgOuQnc/86WeYjFwAi6ioYYVbwIDAQAB
o4ICLzCCAiswHQYDVR0OBBYEFBoqPFu2x7eUAP4nd8GEAEA786wsMB8GA1UdIwQY
MBaAFBoqPFu2x7eUAP4nd8GEAEA786wsMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
AgEGMIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1
cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20v
cmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEA
MAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEA
AgEAogYCARgBAf jggEEoFgCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAA
AAAAAAAwGDAQAgEAAgh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////
AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAw
GDAQAgEAAgh//////////wEBAAIEEf ugTAYMBACAQACCH//////////AQEAAgQR
/66Bok4wTAIBAgICAP8CAQADDQCA//////////////8DCQCA/////////zASMBAC
AQACCH//////////AQH/MBIwEAIBAAIIf/////////8BAf8wDQYJKoZIhvcNAQEL
BQADggEBAJWmzUpmysfwqBgh3TzW72VBzIA/ZnlIxXU2uzfTUoQ UyUxtpuxyd/w
8Fs9y6R4ty4JJbC1Gdcx5et NnqszUlSXdNsnqwFW3ROFWm6LCNXJlG0o39ddoaP
sFgJC3oSU IIgICidbam/m6f/1a56oHwVl94gc6ds0ZuTSgZZSNZpPk5YTTDpV4l
pR/THp7Hip6HwKf917gNa7cnCP8HsYZ/z3IVOu1ReLEFHoN4HUFhUeOU0qNox2Am
bAlxptbvE5EK9nc68qhrhVx4zLT/4FR KoCoP6CfFiYPghZSr0S5Ttc6VoagYXyJ
Edpd6DHf0ZkOTh5nJVyQQBpfQ7u/wIc=
-----END CERTIFICATE-----








Server certificate

Now, examine the server certificate that you copied into server-cert.pem using the following command.

The command is same as the one used to examine the CA certificate.








Labels:

Collateral
How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended