Extracting the TrustedRoot Certificate from eDirectory

By: jom

April 25, 2008 10:10 am

Reads: 286




In the field I’ve often come across the issue where we need the TrustedRoot certificate and we have no eDirectory management tools available or we do not have the Certificate Server snapins installed in either iManager or ConsoleOne. The solution outlined here, exports the TrustedRoot certificate by using standard Linux tools.

The TrustedRoot certificate is stored on every certificate in eDirectory. The encoding type is base64. By default two certificates are created per eDirectory server. The certificates are placed in the same container as the server object. The issue here is that the server location is undetermined, since it can be any container, and that the names of these certificates contain the servername which is also undetermined.

The TrustedRoot certificate is also stored on the Certificate Authority (CA) object. This attribute is not accessible by standard management tools but the place is always the cn=Security container. This makes it faster and easier to search for- and to extract the certificate. The certificate is stored in base64 format in the attribute cACertificate. This solution extracts the certificate, manipulates it with some sed and openssl commands (explained below) and exports it in der format just like you would do with iManager or ConsoleOne.

To cut a long story short, this is the complete command used;

# /usr/bin/ldapsearch -H ldaps://se-nds62.consulting.novell.com:636 -D cn=Admin,o=Novell -wnovell -b cn=Security cn=*\ CA cACertificate -x -LLL | grep -v "dn:" | sed "s/cACertificate:://g" | sed 's/ //g' |openssl base64 -d |openssl x509 -inform der -out /opt/novell/TrustedRootCert_ONE-TWO-TREE.der -outform der

If you want to script this, you could use the following (when copy-pasting the script, take care that no additional characters follow the “\” backslashes otherwise script execution will fail);

# purpose       : Extracting the TrustedRoot certificate from eDirectory with basic command line Linux tools. 
# project       : Novell Consulting Netherlands
# section       : Tooling 
# filename      : GetTRc.sh 
# date          : April 15, 2008 (080415) 
# version       : v1.0 
# function      : This Linux script extracts the TrustedRoot Certificate from the eDirectory's 
#                 Certificate Authority (CA) and saves it in der format. 
# remarks       : - 
# history       : v1.0 inital version 
# author        : J. Moerenhout, Novell Consulting Netherlands



/usr/bin/ldapsearch -x -LLL -H ldaps://$HOSTNAME:636 -D $USERNAME -w$PASSWORD -b cn=Security cn=*\ CA cACertificate \
| grep -v "dn:" \
| sed "s/cACertificate:://g" \
| sed 's/ //g' \
| openssl base64 -d \
| openssl x509 -inform der -out /opt/novell/$CERTNAME -outform der 

Explanation of commands used;

  1. extract the cACertificate attribute from the Certificate Authority object by /usr/bin/ldapsearch -x -LLL -H ldaps://$HOSTNAME:636 -D $USERNAME -w$PASSWORD -b cn=Security cn=*\ CA cACertificate

    - /usr/bin/ldapsearch is the ldapsearch command to use, we deliberately use the openldap ldapsearch command since the openssl version can be configured to ignore ssl (assuming we haven’t got the TrustedRoot certificate yet, we can’t use the eDirectory version since this requires the TrustedRoot certificate to do an successful SSL bind)

    -x to use simple authentication (ignore the SSL certificates)

    -LLL to export in LDIF format without comments and version

    -H is the LDAP URI of the LDAP server, we connect to port 636

    -D is the bind name, we used Admin here, there is no real need to use Admin, any user can be used since the CA object and cACertificate attribute can be read by any user

    -w is the password (can also be -W where you will be asked to specify the password on the commandline)

    -b cn=Security is the base search container

    cn=*\ CA cACertificate \ is the search parameter, we search for the name containing “CA” (the CA contains the tree name in it’s name, by searching for *\ CA, any CA is found) and list the cACertificate attribute

  2. ldapsearch exports the dn at the beginning, grep -v “dn:” is used to remove the line with the dn in it
  3. ldapsearch exports the attribute name at the beginning, sed “s/cACertificate:://g” is used to remove the text “cACertificate”
  4. ldapsearch exports data 80 characters wide and adds a space at the beginning of each line where the data continues, sed ‘s/ //g’ is used to remove the leading spaces
  5. the data in eDirectory is stored in base64 format, use openssl base64 -d to decode the data from base64
  6. after we decoded the data, use openssl x509 -inform der -out /opt/novell/$CERTNAME -outform der to encode it in x509 format again and export the data in der format

The TrustedRoot certificate of the tree specified is now stored in /opt/novell.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.