[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Turbo Fredriksson <turbo@bayour.com>
Date: Sun, 9 Apr 2017 18:24:30 +0100
Authorized-sender: turbo@bayour.com
In-reply-to: <7ffccddb-28b1-7182-1ec1-da4995d6ed51@symas.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <WM!4ba83b2090d2bd1da4412c283bf93e9733cc0be005cc6e1eea16569b1a5755a16c137c899e1426c4e700614ef0d86a6e!@mailstronghold-2.zmailcloud.com> <faee960d-3967-2eed-b6ec-d2f8e0b4fdc6@symas.com> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com> <BE9CD1C3-B433-453A-92EE-258046EA3796@bayour.com> <WM!72c4bd8a502cb74b06f81b6b79f016b392e96533e633776189e8f3d79378f724d1b0950ee046f711f5b3fe60c82ab046!@mailstronghold-1.zmailcloud.com> <3b82bb6c-d295-586a-97ae-1498b74062bd@symas.com> <7A069EFE-53C6-4EDC-98DC-F2D9F53F2A18@bayour.com> <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com> <223d2e96-5b9f-c069-9bbc-2e921a15c287@symas.com> <5CEB19F4-4A7B-4468-9594-52ED48614F03@bayour.com> <WM!bc4c5478139297a47e7fa44652289fc28a0143f6c9c8188eeecfdde3e0b22eb4c1c85e4b29dfe8c1fa20ec2768a2bc76!@mailstronghold-1.zmailcloud.com> <7ffccddb-28b1-7182-1ec1-da4995d6ed51@symas.com>

On 9 Apr 2017, at 17:55, Howard Chu <hyc@symas.com> wrote:

> Turbo Fredriksson wrote:
>> So if I’m understanding this correctly, all you have to do to request
>> a certificate for a specific object, is to read the “userPrivateKey;binary”
>> of that RDN?
> 
> You must request exactly two attributes, otherwise the overlay ignores it:
> 	userCertificate;binary
> 	userPrivateKey;binary

Ah, neat!

The man page states:

    The CA's private key is stored in a cAPrivateKey attribute, and user and 
    server private keys are stored in the userPrivateKey attribute.

so I thought BOTH certs was in userPrivateKey. Which doesn’t make much
sense, in retrospect :)

>>    2) What if I want a new certificate for that RDN?
>>         Such as the previous one is [about to] expire and it needs to be
>>         refreshed (preferably (?) without destroying/removing the old one).
> 
> Currently you would have to delete the old one first.

Ok, thanx. Not that big a’ deal I guess.

>>    3) Is the CAs _public_ key available as well?
>>         Same reason as point 1.
> 
> If the overlay generated it, then it is stored in cACertificate;binary in the suffix entry of the database.

Awesome! Update the man page about this as well then :)

>>    4) If I already have a CA “on premises” and that have created an
>>        intermediate CA I’d like to use for “autoca”, could this be done?
> 
> You can replace cACertificate;binary and cAPrivateKey;binary of the suffix entry to force this.

I see, that’s quite smart! So they’re writable, not just read-only then.
This should probably also be documented.

Is that true for userCertificate and userPrivateKey as well?

References:
- Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread