-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring Client Certificate Authentication to Internal Database
This document describes the procedure to enable client certificate authentication from PKI server to the internal database. It assumes that the secure connection to the internal database has been enabled.
Export PKI CA’s signing certificate into a PEM file:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -n "caSigningCert cert-pki-tomcat CA" -a > pkica.pem
Import the PEM file into DS server’s NSS database:
$ certutil -A -d /etc/dirsrv/slapd-pki-tomcat -n "PKI CA certificate" -t "CT,C,C" -i pkica.pem
Verify with the following command:
$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat
Configure DS certificate mapping in /etc/dirsrv/slapd-pki-tomcat/certmap.conf:
certmap example CN=CA Signing Certificate,O=EXAMPLE example:CmapLdapAttr seeAlso example:verifycert on
This will map the subsystem certificate to pkidbuser since pkidbuser has a seeAlso attribute containing the subsystem certificate’s subject DN.
Restart the DS server:
$ systemctl restart [email protected]
Verify that the client certificate exists in PKI server’s NSS database:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -n "subsystemCert cert-pki-tomcat"
Verify with openldap-clients and PEM files:
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "Directory Server CA certificate" -a \ > dsca.pem $ pki -d /var/lib/pki/pki-tomcat/alias -C /var/lib/pki/pki-tomcat/conf/password.conf \ client-cert-show "subsystemCert cert-pki-tomcat" --cert subsystem.pem --private-key subsystem.key $ LDAPTLS_CACERT=dsca.pem \ LDAPTLS_CERT=subsystem.pem \ LDAPTLS_KEY=subsystem.key \ ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret.123 \ -b "dc=example,dc=com" "(objectClass=*)"
or with openldap-clients and NSS database:
$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' \ > /var/lib/pki/pki-tomcat/alias/password.txt $ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/alias/password.txt $ chmod 400 /var/lib/pki/pki-tomcat/alias/password.txt $ LDAPTLS_CACERTDIR=/var/lib/pki/pki-tomcat/alias \ LDAPTLS_CERT="subsystemCert cert-pki-tomcat" \ LDAPTLS_KEY=/var/lib/pki/pki-tomcat/alias/password.txt \ ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret.123 \ -b "dc=example,dc=com" "(objectClass=*)"
Configure PKI server to use the client certificate by editing /var/lib/pki/pki-tomcat/<subsystem>/conf/CS.cfg
:
internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-tomcat
Remove the unused internaldb.ldapauth.bindDN
and internaldb.ldapauth.bindPWPrompt
parameters.
Restart PKI server:
$ systemctl restart [email protected]
Verify that PKI server authenticates against the DS using client certificate with the following command:
$ pki ca-cert-find
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |