(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Answer) How do I use TLS/SSL with Mozilla NSS?
OpenLDAP can use Mozilla NSS as the TLS/SSL implementation. If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way. The goal is that you will not be able to tell you are using OpenLDAP with Mozilla NSS because it will work exactly the same as OpenLDAP with OpenSSL.
For general information about using TLS/SSL with OpenLDAP see http://www.openldap.org/faq/index.cgi?file=185
For information about building OpenLDAP with Mozilla NSS see http://www.openldap.org/faq/index.cgi?file=196
To use a Mozilla certificate/key database, specify the directory path in the CA Certificate directory directive. For example, in ldap.conf or .ldaprc, use TLS_CACERTDIR /path/to/cert/key/db/ In the slapd.conf, use TLSCACertificatePath. In cn=config, use olcTLSCACertificatePath. If the path contains both OpenSSL formatted CA cert hash symlinks/files _and_ an NSS cert/key database, OpenLDAP will use the NSS cert/key database and ignore the CA files.
To use a specific certificate in a cert/key database, specify the certificate name in the Cert or CertFile directive: ldap.conf or .ldaprc -> TLS_CERT, slapd.conf -> TLSCertificateFile, cn=config -> olcTLSCertificateFile. If the cert is on a token other than the builtin internal NSS software token, specify the token name first, followed by a colon (:). For example:
 TLS_CERT my token name:My Cert Name
The keyfile directive (TLS_KEY, etc.) can be used to specify the name of the file containing the password/pin for the key. See below to use modutil or certutil to disable password protection for the key database.

NSS provides command line utilities for managing the key/cert database. The most commonly used ones are certutil, pk12util, and modutil. Use -H or --help to get usage for these commands. Common tasks are:
List certs by name:

 certutil -d /path/to/certdb -L
Print detailed cert info:
 certutil -d /path/to/certdb -L "name of cert"
Export cert to PEM (ASCII):
 certutil -d /path/to/certdb -L "name of cert" -a > /path/to/filename.pem
Add a CA certificate for a TLS/SSL issuer CA from a PEM (ASCII) file:
 certutil -d /path/to/certdb -A -n "name of CA cert" -t CT,, -a -i /path/to/cacert.pem
Add a certificate and private key from a PKCS12 file:
 pk12util -d /path/to/certdb -i /path/to/file.p12
You will have to provide the password used to encrypt the .p12 file and the password for the key database. Press 'Enter' if no password.
You cannot export a raw private key or key file from a Mozilla NSS key database. You must first export the key with the cert in a PKCS12 file. You can then use the openssl pkcs12 command to extract the private key:
 pk12util -d /path/to/certdb -o /path/to/myfile.p12 -n "My Cert Name"
Press 'Enter' when prompted for the password to disable password protection of the p12 file.
 openssl pkcs12 -in /path/to/myfile.p12 -out /path/to/file.pem -nodes
to extract the cert and key from the .p12 file and write them to file.pem unencrypted.
When using private keys with OpenLDAP, it is useful to disable password protection of the key database. This will eliminate the need to provide a password/pin on the command line or via a pin file:
 modutil -dbdir /path/to/certdb -changepw 'NSS Certificate DB'
You must have the old password to perform this operation. Ignore the browser WARNING. Press 'Enter' for the new password to have no password at all. Newer versions of certutil can do this too:
 certutil -d /path/to/certdb -W
Using Builtin Root Certs: NSS comes with a list of root CA certificates. These are contained in the shared library file libnssckbi.so (filename and extension may vary depending on your operating system). For example, if you have NSS installed in /usr/lib64 and your key/cert db is in ~/.moznss:
 cd ~/.moznss
 ln -s /usr/lib64/libnssckbi.so
 modutil -dbdir ~/.moznss -list
will show the Root Certs module. Newer versions of certutil can do this too:
 certutil -d ~/.moznss -U
to see all certs in both the internal cert db and the root certs db:
 certutil -d ~/.moznss -L -h all
to print out certificate details on a CA cert in the root certs db:
 certutil -d ~/.moznss -L -n "Builtin Object Token:NAME OF CERT"

Trust and Trust Flags

If you get this error
error -8171:Unknown code ___f 21
error -8172:Unknown code ___f 20

you may have to change the trust flags/attributes on your CA, server, or user certs.

certutil -H gives some information, and there might be more on the mozilla.org site.

This is what the trust should look like:
Certificate Nickname                                         Trust Attributes

CA certificate                                               CTu,u,u
Server-Cert                                                  u,u,u

That is - the CA certificate is trusted
                          c      valid CA
                          T      trusted CA to issue client certs (implies c)
                          C      trusted CA to issue server certs (implies c)
                          u      user cert
The u is optional here - you probably won't use your CA cert as a user cert.

The server cert is trusted as a user cert which, for a server cert, means it is trusted as an SSL server cert.  You can also use this server cert as a client cert for doing server to server cert client auth.

The certutil -H lists the trust flag information under the documentation for the -E flag.

Use certutil -M to change the trust flags:
certutil -d /path/to/certdbdir/ -M -n "my CA cert" -t CT,,
certutil -d /path/to/certdbdir/ -M -n "my server or user cert" -t u,u,u
[Append to This Answer]
Previous: (Answer) How do I use TLS/SSL?
Next: (Answer) New Item
This document is: http://www.openldap.org/faq/index.cgi?file=1514
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org