From my cheat sheet
The first thing we need to do is create a new key store.
# cd /etc/dirsrv/slapd-directory/
# mv cert8.db key3.db secmod.db /root/
#
certutil -N -d .
Then we create your CA.
#
certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.
Next we create your server cert. Make sure your cn is your FQDN of this server.
#
certutil -S -n "directory-Server-Cert" -s "cn=
directory.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Then check to make sure it looks ok
certutil -L -d /etc/dirsrv/slapd-directory/
Create your public ca for your clients.
#
certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL look like the following.
nsSSLPersonalitySSL: directory-Server-Cert
That should be it. You have to restart the directory server after above steps.
After this configure Directory Server to use SSL.
Set
the secure port for the server to use for TLS/SSL communications. In
the Configuration area, select the Settings tab, and enter the value in
the Encrypted Port field.
- The encrypted port number must not
be the same port number used for normal LDAP communications. By default,
the standard port number is 389, and the secure port is 636.
-
Select the Configuration tab, and then select the top entry in the
navigation tree in the left pane. Select the Encryption tab in the right
pane.
- Select the Enable SSL for this Server checkbox.
- Check the Use this Cipher Family checkbox.
- Select the certificate to use from the drop-down menu.