[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using "keytool" to create security certificates for OpenLDAP

Thanks Jon. This helps. I do have a few more questions that are
related to OpenLDAP:

1) I'm on a Windows machine, and in the OpenLDAP installation
directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
related files. Could you tell me which is which, and which I should
add to the truststore on the client?
- serverkey.pem
- server.pem
- CA.pem
- cakey.pem
- ca.srl

2) I actually tried adding "server.pem" to my client's truststore
using keytool, and it seems that it got added (it gets listed with the
-list option), but when I do the following with JLDAP to conenct to
the OpenLDAP server, I get an LDAPException with a root message:
"sun.security.validator.ValidatorException: No trusted certificate
        if (this.useSSL) {
            LDAPSocketFactory sslSocketFactory = new
        this.masterConnection = new LDAPConnection();

        try {
            this.masterConnection.connect(host, port);
this.loginDN, passwd);
        } catch (LDAPException e) {
            throw new InitializationException(e); // This is what I
get every time

How do I solve this problem? Any ideas?

Thanks in advance :)


On Fri, 25 Mar 2005 09:54:45 -0600, Jon Roberts <jon@jonanddeb.net> wrote:
> Safdar Kureishy wrote:
> > - Enable SSL on OpenLDAP (and all the certs/keys etc.)
> > [I've got this done via the installer itself and it works using the
> > ldapbrowser/editor tool that I downloaded online]
> So I'll assume this is all okay, although you may also want to check
> with an OpenLDAP client like ldapsearch.
> > - Create a truststore on the JLDAP (client) side and add the OpenLDAP
> > server certificate to that truststore. I'm also hoping that this task
> > can be automated with Ant or as part of an installer given the
> > location of the certiciate file that is to be trusted.
> > [I'm at a loss as to what tool to use to generate the client-side
> > truststore and add the server-side certificate to it. Basically I'm
> > looking for a some instructions.]
> Creating and installing a client side store is really a Java question,
> but here's the easiest thing to do. Your client JRE should have a
> default keystore where it checks for CA certs. Assuming you are using a
> *nix environment and your JAVA_HOME is '/usr/java', the command for
> adding your own CA cert would be something like:
> /usr/java/bin/keytool -import -alias localca -keystore
> /usr/java/jre/lib/security/cacerts -trustcacerts -file
> /path/to/your/localcacert.pem
> You'll be prompted for a keystore password, which by default is
> 'changeit' (hint, hint) for the cacerts keystore.
> Again, keystores are a Java topic which can be explained better on a
> Java forum. The keytool man page is also useful.
> Hope this helps.
> Jon Roberts
> www.mentata.com