eDirectory PKI Server Cookbook

eDirectory PKI Server Cookbook

In this document, I plan to capture various use cases around eDirectory Certificate Server, eDirectory server certificates, and troubleshooting tips. This is intended to be a live document which will get updated with more information over time.

Download .pdf version here.

Table of Contents

  • How to examine eDirectory CA certificate

  • How to examine eDirectory server certificate

  • LDAP server certificate contents




How to examine eDirectory CA certificate



eDirectory versions 9.0 and later have two CAs - a RSA CA and a ECDSA CA.



These certificates are present in my eDirectory tree as attributes of the object and are made available here for convenience.



The certificate can be examined as follows:





This is the actual base64 encoded certificate stored in the .pem file
-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgIUf2XGI6I9zaBftA+FUx2eWqK38MAwDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1Qt
VFJFRS0xMB4XDTE4MTIxMzEyMzQwN1oXDTI4MTIxMjEyMzQwN1owMjEaMBgGA1UE
CxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1QtVFJFRS0xMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9am80UODEX5EvwuadzGgAUVBFftJ
+YOJLr9Ks/PRuydxX8O4mBQHM3xc+LS7jR2foeMJIv/TEbXCA9zGpj7JWqGrsPVl
Kl8E4uSwPfE8YeZ/JvSzM2EOByP9MQDW/Rn/uXBLVogjCI7/bGpbI8FXf7MD11Xf
cfjKWkS2TWd0tvHTYwfzz+96MSPArOE1m2KEFEpE5JsZXv5l/68MKIzLWB1yyOq4
EC/Ocg6JWzFM7ZnpTvWt2ImDdCGKLyeFf56cSRnlT9Id0j6f0mcC5pufCw7gk/0R
ZM0uOcgGCyD1H3C08SoveNGpcWejmya2xgOuQnc/86WeYjFwAi6ioYYVbwIDAQAB
o4ICLzCCAiswHQYDVR0OBBYEFBoqPFu2x7eUAP4nd8GEAEA786wsMB8GA1UdIwQY
MBaAFBoqPFu2x7eUAP4nd8GEAEA786wsMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
AgEGMIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1
cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20v
cmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEA
MAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEA
AgEAogYCARgBAf+jggEEoFgCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAA
AAAAAAAwGDAQAgEAAgh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////
AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAw
GDAQAgEAAgh//////////wEBAAIEEf+ugTAYMBACAQACCH//////////AQEAAgQR
/66Bok4wTAIBAgICAP8CAQADDQCA//////////////8DCQCA/////////zASMBAC
AQACCH//////////AQH/MBIwEAIBAAIIf/////////8BAf8wDQYJKoZIhvcNAQEL
BQADggEBAJWmzUpmysfwqBgh3TzW72VBzIA/ZnlIxXU2uzfTUoQ+UyUxtpuxyd/w
8Fs9y6R4ty4JJbC1Gdcx5et+NnqszUlSXdNsnqwFW3ROFWm6LCNXJlG0o39ddoaP
sFgJC3oSU+IIgICidbam/m6f/1a56oHwVl94gc6ds0ZuTSgZZSNZpPk5YTTDpV4l
pR/THp7Hip6HwKf917gNa7cnCP8HsYZ/z3IVOu1ReLEFHoN4HUFhUeOU0qNox2Am
bAlxptbvE5EK9nc68qhrhVx4zLT/4FR+KoCoP6CfFiYPghZSr0S5Ttc6VoagYXyJ
Edpd6DHf0ZkOTh5nJVyQQBpfQ7u/wIc=
-----END CERTIFICATE-----


How to examine eDirectory server certificate



Note: For the following commands to work, run export LDAPTLS_REQCERT=never in the shell before executing the commands.

Server certificates are stored in eDirectory objects called Key Material Objects (KMOs). Following is how you locate the KMO.





LDAP server certificate contents



You can use the following command to see the LDAP server’s X509 certificate.




Copy/paste this into file server-cert.pem for examining.
-----BEGIN CERTIFICATE-----
MIIGvzCCBaegAwIBAgIUNQ0fNpmSeuj4GcMDl8wYKF2ZYpwwDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1Qt
VFJFRS0xMB4XDTE4MTIxNTEwMzQwOFoXDTIwMTIxNDEwMzQwOFowKzEUMBIGA1UE
ChMLVEVTVC1UUkVFLTExEzARBgNVBAMTCm0xLmZvby5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCvemycNaO6CI+hItGZBw4qzPqHCvqHijkyjfCf
GU0AWz4Y+w4jVgVFaFU3J9SiBgv7KtBRf9kAhHH8Um3TGgEuucxMqd7xFGnYIhom
pMS8Mnot77Ya4mQNvY/ShnaDnvdUMfaMkBNnTF56e4gNW1YWtz2WhfLwgxR91aug
wxxNiG2AZ6St2qMXjXwWk4XjUD9v/vTQRXddbhdbxgoBXqdsTQBKBmrlJYgqgVJs
fYHo/YqoVun/ggcRxkithXnup9IDE1twsJAFXrlO5VVfEZNstUsIWW9U/xBOQeHL
TpIePE1dl763Y8Ir7AKSL8jJDfyPala65q+4CSAx+E89bzd/AgMBAAGjggPSMIID
zjAdBgNVHQ4EFgQUA/Bfib9lvx72tvq0EYsmP2o5xUcwHwYDVR0jBBgwFoAUGio8
W7bHt5QA/id3wYQAQDvzrCwwGwYDVR0RBBQwEocEwKg4ZoIKbTEuZm9vLmNvbTAL
BgNVHQ8EBAMCBaAwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92
ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0w
ggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAI
MAYCAQECAQACAQCiBgIBFwEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAA
AAADCQCAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAII
f/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBA
AAAAAAAAADAYMBACAQACCH//////////AQEAAgQR/66BMBgwEAIBAAIIf///////
//8BAQACBBH/roGiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAA
AAAAMBIwEAIBAAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADCCAZAG
A1UdHwSCAYcwggGDMCygKqAohiZodHRwOi8vMTkyLjE2OC41Ni4xMDI6ODAyOC9j
cmwvb25lLmNybDBgoF6gXIZabGRhcDovLzE5Mi4xNjguNTYuMTAyOjM4OS9DTj1P
bmUsQ049T25lJTIwLSUyMENvbmZpZ3VyYXRpb24sQ049Q1JMJTIwQ29udGFpbmVy
LENOPVNlY3VyaXR5MC2gK6AphidodHRwczovLzE5Mi4xNjguNTYuMTAyOjgwMzAv
Y3JsL29uZS5jcmwwYaBfoF2GW2xkYXBzOi8vMTkyLjE2OC41Ni4xMDI6NjM2L0NO
PU9uZSxDTj1PbmUlMjAtJTIwQ29uZmlndXJhdGlvbixDTj1DUkwlMjBDb250YWlu
ZXIsQ049U2VjdXJpdHkwX6BdoFukWTBXMQwwCgYDVQQDEwNPbmUxHDAaBgNVBAMT
E09uZSAtIENvbmZpZ3VyYXRpb24xFjAUBgNVBAMTDUNSTCBDb250YWluZXIxETAP
BgNVBAMTCFNlY3VyaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQDBnJMF8o96TQGhHDaG
AKwp2QRujWk7aW2lpz1xzC0zjNA7a684OYZjJhAAHDiLuva3fFtkLGRo7VvRqwhn
jrtzq2pz6OOBBruHQqGIL67c+JYgSTI22NL8ljpn0dbEf0bHMdibcHSjY0hckIXF
NZG2TEglMwU/mnc037xBC1LAvtLXh1LnK7O2tqsrIk+LwCteyPcxWhgcQotAakKF
WjuGgqSoz6l88vrT4c4IGvxeySPCykHoTc6qeEQpBX9TtenoD/AJRIjcv6HciqrQ
U1lDdCyemNirahzZH+gEo+JkmxsvPnFIX1ptMILb3AQ7ViayvRwHr1Ldl+l7WbIt
NnPr
-----END CERTIFICATE-----




-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgIUf2XGI6I9zaBftA+FUx2eWqK38MAwDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1Qt
VFJFRS0xMB4XDTE4MTIxMzEyMzQwN1oXDTI4MTIxMjEyMzQwN1owMjEaMBgGA1UE
CxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoTC1RFU1QtVFJFRS0xMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9am80UODEX5EvwuadzGgAUVBFftJ
+YOJLr9Ks/PRuydxX8O4mBQHM3xc+LS7jR2foeMJIv/TEbXCA9zGpj7JWqGrsPVl
Kl8E4uSwPfE8YeZ/JvSzM2EOByP9MQDW/Rn/uXBLVogjCI7/bGpbI8FXf7MD11Xf
cfjKWkS2TWd0tvHTYwfzz+96MSPArOE1m2KEFEpE5JsZXv5l/68MKIzLWB1yyOq4
EC/Ocg6JWzFM7ZnpTvWt2ImDdCGKLyeFf56cSRnlT9Id0j6f0mcC5pufCw7gk/0R
ZM0uOcgGCyD1H3C08SoveNGpcWejmya2xgOuQnc/86WeYjFwAi6ioYYVbwIDAQAB
o4ICLzCCAiswHQYDVR0OBBYEFBoqPFu2x7eUAP4nd8GEAEA786wsMB8GA1UdIwQY
MBaAFBoqPFu2x7eUAP4nd8GEAEA786wsMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
AgEGMIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1
cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20v
cmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEA
MAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEA
AgEAogYCARgBAf+jggEEoFgCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAA
AAAAAAAwGDAQAgEAAgh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////
AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAw
GDAQAgEAAgh//////////wEBAAIEEf+ugTAYMBACAQACCH//////////AQEAAgQR
/66Bok4wTAIBAgICAP8CAQADDQCA//////////////8DCQCA/////////zASMBAC
AQACCH//////////AQH/MBIwEAIBAAIIf/////////8BAf8wDQYJKoZIhvcNAQEL
BQADggEBAJWmzUpmysfwqBgh3TzW72VBzIA/ZnlIxXU2uzfTUoQ+UyUxtpuxyd/w
8Fs9y6R4ty4JJbC1Gdcx5et+NnqszUlSXdNsnqwFW3ROFWm6LCNXJlG0o39ddoaP
sFgJC3oSU+IIgICidbam/m6f/1a56oHwVl94gc6ds0ZuTSgZZSNZpPk5YTTDpV4l
pR/THp7Hip6HwKf917gNa7cnCP8HsYZ/z3IVOu1ReLEFHoN4HUFhUeOU0qNox2Am
bAlxptbvE5EK9nc68qhrhVx4zLT/4FR+KoCoP6CfFiYPghZSr0S5Ttc6VoagYXyJ
Edpd6DHf0ZkOTh5nJVyQQBpfQ7u/wIc=
-----END CERTIFICATE-----







Server certificate

Now, examine the server certificate that you copied into server-cert.pem using the following command.

The command is same as the one used to examine the CA certificate.








Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2019-01-24 14:31
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.