Hi Stefan, I'm having the same problem and learned the hard way that storing the certificate + private key in the DS is not a smart thing to do. If you make a mistake as I apparently did, the server will refuse to start, so I basically locked myself out. Or at least I don't know how to change the values without Apache Directory Studio. Fortunately that was just a test instance and no production server (yet) :). I have an OpenSSL certificate, which I managed to convert into a keystore that I hope I can use with a future version of ApacheDS, but for the time being I would appreciate any advise on how to extract the certificate + keys from the keystore in the right format for the Admin Entry...
Cheers, Pieter > Stefan Seelmann wrote on Wed, 06 Jan 2010 04:29:18 -0800 > > Hi Matthias, > > Matthias Cramer wrote: > > As it looks like, the starttls extension does not honor the keystore > configured in the ldapServer config. > > Yes, you are right. I just checked the source code and the configured > keystore in server.xml isn't used for StartTLS extended operation :-/ > > You could find the certificate and key that is use in the Admin Entry > (uid=admin,ou=system): > > dn: uid=admin,ou=system > keyAlgorithm: RSA > privateKey:: ... > privateKeyFormat: PKCS#8 > publicKey:: ... > publicKeyFormat: X.509 > userCertificate:: ... > ... > > > What you need to do is to extract the private key, public key and certificate > from your keystore and replace the attributes privateKey, publicKey and > userCertificate with those guys. You could use Portacle and OpenSSL to > extract those information. If you need further help don't hesitate to ask. > > Not very user friendly right now... > > Kind Regards, > Stefan ------------------------------------------------------------- mobile: +31 6 143 66 783 e-mail: [email protected] skype: pieter.online -------------------------------------------------------------
