Hi Mat, Indeed, both attributes need to be in sync to work correctly.
Thanks for the detailed step by step procedure. Regards, Pierre-Arnaud On 27 juin 2012, at 21:23, Mat Gessel wrote: > Figured it out. In this case the handshake error means that the data > being served does not cryptographically correspond to the trusted > certificate. The value of "userCertificate" must be derived from the > value of "privateKey". If you change "userCertificate" on > "uid=admin,ou=system" you must also change "privateKey" to the > corresponding private key. > > Getting a private key and corresponding certificate is a bit difficult > with keytool (the Java key/certificate tool) because keytool does not > expose private keys. Here is the procedure I came up with (copied from > another document): > > *** Installing a Certificate Generated By Keytool *** > > When you create a new server, a private key and certificate are > automatically created on the admin entry (uid=admin,ou=system). > Unfortunately, the certificate references an non-existant issuer. This > means that clients which expect a valid certificate cannot connect to > the server. > > In this procedure we will: > 1. create a keystore containing a private key & certificate. > 2. export the certificate > 3. export the public key to X.509/DER format > 4. export the private key to PKCS#8/DER format > 5. import the keys and certificate to ApacheDS > > # create a PKCS#12 keystore containing a 2048 bit RSA private key and > a certificate for localhost > # the CN must match the host name of the server. A CN of "localhost" > will not work for ldaps://my-server:389 or vice-versa > # we create a keystore in PKCS#12 format for consumption by OpenSSL > keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -alias > ldap -dname "cn=localhost" -keypass changeit -keystore ldap.p12 > -storepass changeit -storetype PKCS12 > > # extract a certificate from the keystore > keytool -exportcert -alias ldap -rfc -keystore ldap.p12 -storepass > changeit -storetype PKCS12 -file ldap.cer > > # extract the private key from the keystore > openssl pkcs12 -in ldap.p12 -passin pass:changeit -nodes -nocerts | > openssl rsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out > ldap-privatekey.der > > # derive a public key from the private key in the keystore (this may > be incorrect, but it does not seem to matter for ApacheDS) > openssl pkcs12 -in ldap.p12 -passin pass:changeit -nodes -nocerts | > openssl rsa -pubout -outform DER -out ldap-publickey.der > > # import the server certificate to the truststore for V-Flex to use > # this is a self-signed (root) certificate, so you be asked to confirm > that you trust it > keytool -importcert -alias ldap -keystore .truststore -storepass > changeit -keypass changeit -file ldap.cer > > To utilize the keys and certificate in ApacheDS: > 1. browse to uid=admin,ou=system in the LDAP Browser > 2. double-click on privateKey, click Load Data..., select > ldap-privatekey.der and click OK > 3. double-click on publicKey, click Load Data..., select > ldap-publickey.der and click OK > 4. double-click on userCertificate, click Load Certificate..., select > ldap.cer and click OK > 5. disconnect from the server > 6. stop the server > 7. restart the server > 8. connect to the server > 9. accept the new certificate as trusted > > -- > Mat Gessel > http://www.asquare.net > > On Tue, Jun 26, 2012 at 12:30 PM, Mat Gessel <[email protected]> wrote: >> However, I am unable to connect >> when I specify a self-signed certificate for the server (via >> uid=admin,ou=system).
