Re: Using "keytool" to create security certificates for OpenLDAP

[Jon Roberts <jon@jonanddeb.net>]

Safdar Kureishy wrote:
> - Enable SSL on OpenLDAP (and all the certs/keys etc.)
> [I've got this done via the installer itself and it works using the
> ldapbrowser/editor tool that I downloaded online]

So I'll assume this is all okay, although you may also want to check 
with an OpenLDAP client like ldapsearch.

> - Create a truststore on the JLDAP (client) side and add the OpenLDAP
> server certificate to that truststore. I'm also hoping that this task
> can be automated with Ant or as part of an installer given the
> location of the certiciate file that is to be trusted.
> [I'm at a loss as to what tool to use to generate the client-side
> truststore and add the server-side certificate to it. Basically I'm
> looking for a some instructions.]

Creating and installing a client side store is really a Java question, 
but here's the easiest thing to do. Your client JRE should have a 
default keystore where it checks for CA certs. Assuming you are using a 
*nix environment and your JAVA_HOME is '/usr/java', the command for 
adding your own CA cert would be something like:

/usr/java/bin/keytool -import -alias localca -keystore 
/usr/java/jre/lib/security/cacerts -trustcacerts -file 
/path/to/your/localcacert.pem

You'll be prompted for a keystore password, which by default is 
'changeit' (hint, hint) for the cacerts keystore.

Again, keystores are a Java topic which can be explained better on a 
Java forum. The keytool man page is also useful.

Hope this helps.

Jon Roberts
www.mentata.com