[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: Turbo Fredriksson <turbo@bayour.com>, OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Howard Chu <hyc@symas.com>
Date: Sun, 9 Apr 2017 17:55:32 +0100
In-reply-to: <WM!bc4c5478139297a47e7fa44652289fc28a0143f6c9c8188eeecfdde3e0b22eb4c1c85e4b29dfe8c1fa20ec2768a2bc76!@mailstronghold-1.zmailcloud.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <WM!4ba83b2090d2bd1da4412c283bf93e9733cc0be005cc6e1eea16569b1a5755a16c137c899e1426c4e700614ef0d86a6e!@mailstronghold-2.zmailcloud.com> <faee960d-3967-2eed-b6ec-d2f8e0b4fdc6@symas.com> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com> <BE9CD1C3-B433-453A-92EE-258046EA3796@bayour.com> <WM!72c4bd8a502cb74b06f81b6b79f016b392e96533e633776189e8f3d79378f724d1b0950ee046f711f5b3fe60c82ab046!@mailstronghold-1.zmailcloud.com> <3b82bb6c-d295-586a-97ae-1498b74062bd@symas.com> <7A069EFE-53C6-4EDC-98DC-F2D9F53F2A18@bayour.com> <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com> <223d2e96-5b9f-c069-9bbc-2e921a15c287@symas.com> <5CEB19F4-4A7B-4468-9594-52ED48614F03@bayour.com> <WM!bc4c5478139297a47e7fa44652289fc28a0143f6c9c8188eeecfdde3e0b22eb4c1c85e4b29dfe8c1fa20ec2768a2bc76!@mailstronghold-1.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Turbo Fredriksson wrote:

On 9 Apr 2017, at 14:24, Howard Chu <hyc@symas.com> wrote:

Please read the slapo-autoca(5) manpage for more info.


This is exactly how easy I’m envisioning this to be! Brilliant, thanx!

So if I’m understanding this correctly, all you have to do to request
a certificate for a specific object, is to read the “userPrivateKey;binary”
of that RDN?


You must request exactly two attributes, otherwise the overlay ignores it:
	userCertificate;binary
	userPrivateKey;binary

Now, I know it’s well to early for feature requests :D, but I have a few
questions (and a feature request :):

    1) Why is both certificates (private AND public) in the same attribute?
        I can see the reason to have the public … “public” (with a much
        more relaxed ACL/ACI).


They aren't, they are in two separate attributes.

    2) What if I want a new certificate for that RDN?
         Such as the previous one is [about to] expire and it needs to be
         refreshed (preferably (?) without destroying/removing the old one).


Currently you would have to delete the old one first.

    3) Is the CAs _public_ key available as well?
         Same reason as point 1.

If the overlay generated it, then it is stored in cACertificate;binary in thesuffix entry of the database.


    4) If I already have a CA “on premises” and that have created an
        intermediate CA I’d like to use for “autoca”, could this be done?

You can replace cACertificate;binary and cAPrivateKey;binary of the suffixentry to force this.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread