[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing X509 certificates in LDAP?



Dieter Kluenter wrote:

A X.509 certificate is a base64 encoded attribute value.

Just to avoid confusion and further questions let us be more precise:

When storing X.509 certificates via LDAP you have to transmit the raw DER encoding without(!) base64. With OpenLDAP you have to use binary transfer encoding (userCertificate;binary). Also note that the base64-encoded form with BEGIN/END CERTIFICATE lines does not work!

When specifying a binary blob in an LDIF file you have to use this form (see RFC2849):

userCertificate;binary:: <multiple lines of base64-encoded binary blob>
                      ^^
Note the double colon!

Another option is to use URLs in LDIF:

userCertificate;binary:< file:///..../user.crt

When creating LDIF best bet is to use a LDIF module for your favourite programming language which does the job for you.

Ciao, Michael.