[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using "keytool" to create security certificates for OpenLDAP

Safdar Kureishy wrote:
- Enable SSL on OpenLDAP (and all the certs/keys etc.)
[I've got this done via the installer itself and it works using the
ldapbrowser/editor tool that I downloaded online]

So I'll assume this is all okay, although you may also want to check with an OpenLDAP client like ldapsearch.

- Create a truststore on the JLDAP (client) side and add the OpenLDAP
server certificate to that truststore. I'm also hoping that this task
can be automated with Ant or as part of an installer given the
location of the certiciate file that is to be trusted.
[I'm at a loss as to what tool to use to generate the client-side
truststore and add the server-side certificate to it. Basically I'm
looking for a some instructions.]

Creating and installing a client side store is really a Java question, but here's the easiest thing to do. Your client JRE should have a default keystore where it checks for CA certs. Assuming you are using a *nix environment and your JAVA_HOME is '/usr/java', the command for adding your own CA cert would be something like:

/usr/java/bin/keytool -import -alias localca -keystore /usr/java/jre/lib/security/cacerts -trustcacerts -file /path/to/your/localcacert.pem

You'll be prompted for a keystore password, which by default is 'changeit' (hint, hint) for the cacerts keystore.

Again, keystores are a Java topic which can be explained better on a Java forum. The keytool man page is also useful.

Hope this helps.

Jon Roberts