[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: Turbo Fredriksson <turbo@bayour.com>, OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Howard Chu <hyc@symas.com>
Date: Sun, 9 Apr 2017 20:51:00 +0100
In-reply-to: <WM!7aa8bc5ba3dd5b06bb5039edc2cf9c472be38284f0e6aa251fad97b0f6474beb857587a973dc72ce16ad3470c0b65634!@mailstronghold-2.zmailcloud.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com> <BE9CD1C3-B433-453A-92EE-258046EA3796@bayour.com> <WM!72c4bd8a502cb74b06f81b6b79f016b392e96533e633776189e8f3d79378f724d1b0950ee046f711f5b3fe60c82ab046!@mailstronghold-1.zmailcloud.com> <3b82bb6c-d295-586a-97ae-1498b74062bd@symas.com> <7A069EFE-53C6-4EDC-98DC-F2D9F53F2A18@bayour.com> <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com> <223d2e96-5b9f-c069-9bbc-2e921a15c287@symas.com> <5CEB19F4-4A7B-4468-9594-52ED48614F03@bayour.com> <WM!bc4c5478139297a47e7fa44652289fc28a0143f6c9c8188eeecfdde3e0b22eb4c1c85e4b29dfe8c1fa20ec2768a2bc76!@mailstronghold-1.zmailcloud.com> <7ffccddb-28b1-7182-1ec1-da4995d6ed51@symas.com> <C280F744-B865-4603-8BDE-4F24376CAD91@bayour.com> <WM!7aa8bc5ba3dd5b06bb5039edc2cf9c472be38284f0e6aa251fad97b0f6474beb857587a973dc72ce16ad3470c0b65634!@mailstronghold-2.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Turbo Fredriksson wrote:

On 9 Apr 2017, at 17:55, Howard Chu <hyc@symas.com> wrote:

   2) What if I want a new certificate for that RDN?
        Such as the previous one is [about to] expire and it needs to be
        refreshed (preferably (?) without destroying/removing the old one).


Currently you would have to delete the old one first.


Ok, thanx. Not that big a’ deal I guess.


I've noted this in the manpage now.

   3) Is the CAs _public_ key available as well?
        Same reason as point 1.


If the overlay generated it, then it is stored in cACertificate;binary in the suffix entry of the database.


Awesome! Update the man page about this as well then :)


Done.

   4) If I already have a CA “on premises” and that have created an
       intermediate CA I’d like to use for “autoca”, could this be done?


You can replace cACertificate;binary and cAPrivateKey;binary of the suffix entry to force this.


I see, that’s quite smart! So they’re writable, not just read-only then.
This should probably also be documented.

Is that true for userCertificate and userPrivateKey as well?


Yes. Also noted in the manpage.

If you're running git master, you can look at test066-autoca and see how it works.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread