Hi Alex!
Alex Karasulu wrote:
Also setting up your own certificate and adding it to the DIT is pretty
easy even without specific tooling. Note that this use of the external
file store is the antiquated way to do it. Certs were designed to be
stored in directories in the first place. This file thing is going
backwards and often the case when you don't have a directory. Why would
a directory store it's certs in a file when it has access to the
directory store in the first place. If we consider the big picture the
cert in the DIT way is the best option.
I see the problems with the keystore file, but the current DIT solution
is IMHO not sufficient to work with for our users.
Sun Java System Directory Server for instance offers tooling to create a
key pair in the DIT, export a CSR (certificate signing request), and
import a certificate signed from a third party.
Our current implementation creates a key pair and stores it in some
attributes in an entry automatically . Currently, there is no
(documented) way to influence on how keys and certificate look like.
I don't think that it is "pretty easy" setting up your own certificate.
At least I don not have any idea on how to accomplish this task without
custom application development.
I have started like this:
1. Create key pair with keytool
2. Store public and private key in DIT
3. Create certificate
4. (optional) Sign certificate
5. Store (signed) certificate in DIT
My problem is step 2, You can't export a private key from a keystore
with keytool (AFAIK). I had to write a program for this step.
Perhaps you can outline a better solution and I will document it step by
step in the wiki.
My favorite for the future would be an extended operation for key pair
creation. It would be easy to trigger it with studio.
Greetings from Hamburg,
Stefan
