Generating an eDirectory Server Certificate using the OpenSSL Tool



By: rraghu

March 5, 2008 6:37 am

Reads: 270

Comments:1

Rating:0

Introduction

Using the OpenSSL command-line utility, you can generate the server certificate of an eDirectory server, which can be used to access the secure port of the eDirectory server.

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards that they require. The OpenSSL program is a command-line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell. It can be used to create the certificate.

Commands

Note: This tip provides information only on the commands used while getting the certificate. For more information on other commands, check the man-page of OpenSSL.

s_client – Implements a generic SSL/TLS client that can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only, as it provides only a rudimentary interface functionality, but internally it uses most all the functionality of the OpenSSL library.

x509 – A multi-purpose certificate display and signing utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a “mini CA,” or edit certificate trust settings.

Getting the eDirectory Certificate

Below are the steps to get the eDirectory certificate.

1. Run this command:

openssl s_client -host <eDirectory server ip>  -port <secure port>  -showcerts

The above command displays the server certificates and can redirect the output to a file, as shown below.

openssl s_client -host 127.0.0.1 -port 636 -showcerts > cert.info

2. Open the cert.info file and search for the Organizational CA, which looks like the example below.

 1 s:/OU=Organizational CA/O=SL-MARA
   i:/OU=Organizational CA/O=SL-MARA
-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgIkAhwR7NDveqBk7Yap75iadAiKO2dyqtAN88Y9aqr+AgIB
DwvfMA0GCSqGSIb3DQEBBQUAMC4xGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENB
MRAwDgYDVQQKEwdTTC1NQVJBMB4XDTA4MDIyNTExMTAwM1oXDTE4MDIyNDExMTAw
M1owLjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExEDAOBgNVBAoTB1NMLU1B
UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWUebnqcj8ewkU7DaH
mQjIMDAdBRp9/a+MeSiskbUlRFOVIHP25jQs5iGpW0keaJyN+8GyDjkoM8SYglpo
wRpEHQ3GZcJTnUU9RjpvVYpVk3/Y02oxlSYt1mSNsCUzsrg8DfLt56nZBzJ1tOpD
RYR9hCYZHc5xaJGl+dhSLE2aPRq9vpwydDAJq4ON8oqyX4ptMgEQZ9rx5kG+KIwr
Vpovd91nkH6rsZXaUQTjytgwbzI4YYyd20BDDddemRrkOW+WGzpsJRvSdSH7E55a
c2IKqXb72JY9mMmKynQ44IxIRux6XYCtNEPpVP7oxYUNl3R/iAiDJo1OSENXx5uP
dgTbAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUgWHHjxqYGvLkeXBfYMN1qEvLIgIw
HwYDVR0jBBgwFoAUgWHHjxqYGvLkeXBfYMN1qEvLIgIwDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92
ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0w
ggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBRjAI
MAYCAQECAQoCAWmiBgIBGAEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAA
AAADCQCAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAII
f/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBA
AAAAAAAAADAYMBACAQACCH//////////AQEAAgQR7NDvMBgwEAIBAAIIf///////
//8BAQACBBHs0O+iTjBMAgECAgIA/wIBAAMNAID//////////////wMJAID/////
////MBIwEAIBAAIIf/////////8BAf8wEjAQAgEAAgh//////////wEB/zANBgkq
hkiG9w0BAQUFAAOCAQEAfKhV9DP7xpMIc0J8Flh3cSCP57mSdeo5CLcjSxgTcTLr
jQqWksg43D7FQwP5F/0xk91QUf/IjNqmcJi/JPTyzl6EnISTyo8viiJJ86a9Fop8
0PgPEK6Kw+HQppOCpRDHwh+cGohbN8X0i+WYP4natjGaf2+kMDLMmmLMUNuOBNwA
3Yg8PdP3jMVzbRCJYNLn9x2t/d/rJUltDMN8QVDIresqgoVyjHiQgGKqqUuVPeWe
XNPlZwknJDuZLbQK790TpoW9vVrIlS0yVobeO7017Dd5Cn77FeJWxW+bsw2cL/A4
B9qHjRp91tJp1pnkuv6XV287XIbUiVKaUwVR8P6efw==
-----END CERTIFICATE-----

3. Copy from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and paste to a new file, saving in the format of a .pem file (such as cert.pem).

You can use the .pem format certificate to access the secure port of eDirectory by using openldap server.

4. Convert the .pem format certificate into .der format by using the x509 command, as shown below.

openssl x509 -in cert.pem -out cert.der -outform der 

The .der format certificate can be used to access the eDirectory through Novell LDAP servers.

5. Use the cert.der to access the secure port of eDirectory server, as follows:

ldapsearch -D cn=admin,o=com -h 127.0.0.1 -p 636 -e cert.der -w passwd  cn=admin

Summary

In summary, these are the steps to generate the certificate:

1. Get the server certificate information using s_client and redirect to file.

2. Open the certificate and find the Organizational CA information.

3. Copy the certificate content and save it in .pem format.

4. Convert the .pem format certificate to .der format, using x509.

5. Use the .der certificate to acess the secure port of the eDirectory server

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:jwilleke

    Nice article, but seems like it is more about retrieving the Organization CA from a server than generating a certificate.

Comment