|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : How do I use TLS/SSL with Mozilla NSS?|
|OpenLDAP can use Mozilla NSS as the TLS/SSL implementation. If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way. The goal is that you will not be able to tell you are using OpenLDAP with Mozilla NSS because it will work exactly the same as OpenLDAP with OpenSSL.|
For general information about using TLS/SSL with OpenLDAP see http://www.openldap.org/faq/index.cgi?file=185
For information about building OpenLDAP with Mozilla NSS see http://www.openldap.org/faq/index.cgi?file=196
To use a Mozilla certificate/key database, specify the directory path in the CA Certificate directory directive. For example, in ldap.conf or .ldaprc, use TLS_CACERTDIR /path/to/cert/key/db/ In the slapd.conf, use TLSCACertificatePath. In cn=config, use olcTLSCACertificatePath. If the path contains both OpenSSL formatted CA cert hash symlinks/files _and_ an NSS cert/key database, OpenLDAP will use the NSS cert/key database and ignore the CA files.
To use a specific certificate in a cert/key database, specify the certificate name in the Cert or CertFile directive: ldap.conf or .ldaprc -> TLS_CERT, slapd.conf -> TLSCertificateFile, cn=config -> olcTLSCertificateFile. If the cert is on a token other than the builtin internal NSS software token, specify the token name first, followed by a colon (:). For example:
TLS_CERT my token name:My Cert NameThe keyfile directive (TLS_KEY, etc.) can be used to specify the name of the file containing the password/pin for the key. See below to use modutil or certutil to disable password protection for the key database.
NSS provides command line utilities for managing the key/cert database. The most commonly used ones are certutil, pk12util, and modutil. Use -H or --help to get usage for these commands.
Common tasks are:
certutil -d /path/to/certdb -LPrint detailed cert info:
certutil -d /path/to/certdb -L "name of cert"Export cert to PEM (ASCII):
certutil -d /path/to/certdb -L "name of cert" -a > /path/to/filename.pemAdd a CA certificate for a TLS/SSL issuer CA from a PEM (ASCII) file:
certutil -d /path/to/certdb -A -n "name of CA cert" -t CT,, -a -i /path/to/cacert.pemAdd a certificate and private key from a PKCS12 file:
pk12util -d /path/to/certdb -i /path/to/file.p12You will have to provide the password used to encrypt the .p12 file and the password for the key database. Press 'Enter' if no password.
You cannot export a raw private key or key file from a Mozilla NSS key database. You must first export the key with the cert in a PKCS12 file. You can then use the openssl pkcs12 command to extract the private key:
pk12util -d /path/to/certdb -o /path/to/myfile.p12 -n "My Cert Name"Press 'Enter' when prompted for the password to disable password protection of the p12 file.
openssl pkcs12 -in /path/to/myfile.p12 -out /path/to/file.pem -nodesto extract the cert and key from the .p12 file and write them to file.pem unencrypted.
When using private keys with OpenLDAP, it is useful to disable password protection of the key database. This will eliminate the need to provide a password/pin on the command line or via a pin file:
modutil -dbdir /path/to/certdb -changepw 'NSS Certificate DB'You must have the old password to perform this operation. Ignore the browser WARNING. Press 'Enter' for the new password to have no password at all. Newer versions of certutil can do this too:
certutil -d /path/to/certdb -WUsing Builtin Root Certs: NSS comes with a list of root CA certificates. These are contained in the shared library file libnssckbi.so (filename and extension may vary depending on your operating system). For example, if you have NSS installed in /usr/lib64 and your key/cert db is in ~/.moznss:
cd ~/.moznss ln -s /usr/lib64/libnssckbi.so modutil -dbdir ~/.moznss -listwill show the Root Certs module. Newer versions of certutil can do this too:
certutil -d ~/.moznss -Uto see all certs in both the internal cert db and the root certs db:
certutil -d ~/.moznss -L -h allto print out certificate details on a CA cert in the root certs db:
certutil -d ~/.moznss -L -n "Builtin Object Token:NAME OF CERT"
Trust and Trust Flags If you get this error error -8171:Unknown code ___f 21 error -8172:Unknown code ___f 20 or SEC_ERROR_UNTRUSTED_ISSUER or SEC_ERROR_UNTRUSTED_CERT you may have to change the trust flags/attributes on your CA, server, or user certs. certutil -H gives some information, and there might be more on the mozilla.org site. This is what the trust should look like: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,u Server-Cert u,u,u That is - the CA certificate is trusted c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert The u is optional here - you probably won't use your CA cert as a user cert. The server cert is trusted as a user cert which, for a server cert, means it is trusted as an SSL server cert. You can also use this server cert as a client cert for doing server to server cert client auth. The certutil -H lists the trust flag information under the documentation for the -E flag. Use certutil -M to change the trust flags: certutil -d /path/to/certdbdir/ -M -n "my CA cert" -t CT,, certutil -d /path/to/certdbdir/ -M -n "my server or user cert" -t u,u,u
|[Append to This Answer]|
|Previous:||How do I use TLS/SSL?|