Hi Stefan, Stefan Zoerner schrieb: > Hi all, > > I am facing some problems with the current (since 1.5.3, I assume) SSL > configuration. In earlier days, it was possible to provide a keystore > with the public/private key, certificate etc. here > > http://cwiki.apache.org/confluence/display/DIRxSRVx11/3.3.+How+to+enable+SSL > > > Now, the server creates a keypair when it starts the first time and > stores it in the entry uid=admin,ou=system, in different attributes. > > To be honest: This is an example why our documentation is so bad. The > old behavior has been well described in the docs. Someone changed it > completely, and did not update the docs. Same situation holds true for > the whole configuration. :-( > > Nevertheless, the new SSL functionality seems to be simpler, because it > is possible to set it up automatically. But if I plan to use a custom > certificate, it should be at least possible. Today, there was a > corresponding question on the user list. > > I wanted to update the docs to reflect the changes, and I am still > trying to figure out, what an easy way for our users would be. > > A question for the current implementation: Is there any way to > configure/influence the key creation at startup? I assume no, but > perhaps I am missing something.
I have no idea. The only direction I could point you to the class where the initial private key and certificate are created, see [1]. > > Currently, the only way to set up my own certificate is modifying the > attribute values for uid=admin,ou=system > > This is not an easy task, because we do not have any tools for that. > There is no wizard in Studio yet. Even if there would be one -- it > should be possible without a UI client, ... You are right, if we create some tooling we should put all common code into the shared libraries, and then create a wizard for studio and a CL-tool. > > I was able to store my private key, but I am a little bit confused about > some attribute. What exactly is contained in userCertificate and what in > publicKey? > > I assume, userCertificate holds the certificate the server presents to > client. But why do we need publicKey as well. I think it is contained in > the userCertificate. No? I assume too. Kind Regards, Stefan [1] http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java?view=markup
