Skip to content

Publishing CA Certificate to LDAP Server

Endi S. Dewata edited this page Aug 8, 2022 · 11 revisions

Overview

This page describes the process to configure CA to publish the CA certificate to an LDAP server.

To configure OCSP responder to get the CA certificate from an LDAP server, see:

Preparing LDAP Server

Prepare a CA certificate publishing subtree:

$ ldapadd \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: dc=crl,dc=pki,dc=example,dc=com
objectClass: domain
dc: crl

Configuring CA Certificate Publishing

The CA certificate publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.

To configure the LDAP connection:

$ pki-server ca-config-set ca.publish.ldappublish.enable true
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host $HOSTNAME
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 389
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.clientCertNickname ""

To configure LDAP-based CA certificate publisher:

$ pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr "cACertificate;binary"
$ pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass pkiCA
$ pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.pluginName LdapCaCertPublisher

To configure CA certificate mapper:

$ pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.createCAEntry true
$ pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.dnPattern "cn=\$subj.cn,dc=crl,dc=pki,dc=example,dc=com"
$ pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.pluginName LdapCaSimpleMap

To configure CA certificate publishing rule:

$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.enable true
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.mapper LdapCaCertMap
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.pluginName Rule
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.predicate ""
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.publisher LdapCaCertPublisher
$ pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.type cacert

To enable publishing:

$ pki-server ca-config-set ca.publish.enable true

Finally, restart the server.

Verification

To retrieve the published CA certificate:

$ ldapsearch \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "dc=crl,dc=pki,dc=example,dc=com" \
    -o ldif_wrap=no \
    -t \
    "(objectClass=pkiCA)"
dn: cn=CA Signing Certificate,dc=crl,dc=pki,dc=example,dc=com
cn: CA Signing Certificate
sn: CA Signing Certificate
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: pkiCA
cACertificate;binary:< file://<path>

To view the published CA certificate:

$ openssl x509 \
    -in <path> \
    -inform DER \
    -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:21:e0:1a:ab:16:78:60:d5:61:c6:2b:fc:de:dd:18
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
        Validity
            Not Before: Jul 29 00:26:54 2022 GMT
            Not After : Jul 29 00:26:54 2042 GMT
        Subject: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:e7:ce:da:04:fc:4f:47:b6:0b:da:98:a9:08:d4:
                    54:ec:45:c0:24:ce:8e:10:4f:fe:da:e5:0e:64:2e:
                    6e:76:61:ae:0a:ec:15:34:d1:79:8a:dd:7e:bc:6b:
                    f7:d2:5e:9d:34:01:35:f1:c3:d0:bf:71:72:e2:df:
                    b1:52:d7:4c:51:a7:68:42:c5:38:8d:b9:44:b5:bb:
                    af:ab:35:8e:4a:06:a9:63:d7:64:38:33:12:aa:b7:
                    ac:ab:c5:db:ec:29:7c:51:f4:89:bd:39:3e:21:d9:
                    4c:51:01:db:6c:73:b2:91:81:93:22:5c:39:9d:68:
                    f4:b1:e0:0c:a7:eb:7f:26:6a:69:29:2a:a1:50:1e:
                    0a:a4:62:70:bc:ef:09:17:08:2e:85:85:d4:c3:87:
                    83:9c:84:64:65:2c:ac:43:03:06:c2:63:91:9b:0c:
                    80:da:f2:b2:20:81:09:76:58:a2:dd:7b:1e:78:b8:
                    31:d9:ce:09:bc:bb:1c:42:2a:2b:74:c3:64:ef:ee:
                    0b:a9:16:44:e0:9f:e3:1b:65:3e:b0:25:a0:6e:95:
                    34:03:0c:12:32:96:2a:29:92:4e:10:f7:89:9e:83:
                    02:45:80:74:d9:78:db:fe:7f:35:43:1d:9a:2d:4c:
                    6b:f2:9d:68:f8:37:d5:e2:c0:bc:3f:6d:c6:54:0b:
                    c7:23:18:f3:fd:4b:b5:38:64:39:41:a7:dc:29:e1:
                    5d:b2:a6:6a:c1:4c:e6:9e:f2:61:f6:5e:bf:82:61:
                    08:15:e7:4b:29:10:ac:33:bc:d2:b9:03:2f:99:42:
                    c9:0b:72:d3:c2:ea:18:41:10:97:c3:23:37:1d:d6:
                    3d:75:82:41:ff:11:58:17:38:28:47:73:ad:8a:f1:
                    c4:22:e6:70:c8:a8:90:1a:53:4e:94:51:31:f9:b8:
                    a5:8d:02:c6:19:28:82:a4:49:2d:df:4d:62:79:58:
                    95:97:bc:0a:fe:cd:44:f1:38:dc:b3:3f:67:f0:fb:
                    78:48:87:0b:86:00:57:ec:db:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                FF:8C:98:75:1B:0C:B8:46:4D:FA:99:F1:91:E6:A4:C3:11:26:CE:BE
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                FF:8C:98:75:1B:0C:B8:46:4D:FA:99:F1:91:E6:A4:C3:11:26:CE:BE
            Authority Information Access:
                OCSP - URI:http://pki.example.com:8080/ca/ocsp
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9c:15:d2:14:06:26:d0:b4:ff:88:f5:67:fa:61:e3:df:82:06:
        8f:3b:de:aa:31:fd:d5:b6:df:1a:7f:2b:31:23:79:47:05:b0:
        60:a9:ed:aa:a8:3d:9f:ad:8e:01:71:28:b4:96:35:a2:f1:f7:
        de:4a:08:ec:bc:fa:37:05:c5:4f:3c:13:0a:53:66:c2:d3:ef:
        ee:d6:70:2a:8e:59:bc:35:8a:17:de:18:5b:79:41:a2:1f:ea:
        19:6f:b5:ee:f1:d7:49:99:03:9c:c4:5d:3f:88:71:86:d3:23:
        d8:1a:84:22:6d:cf:4f:8b:c2:e5:67:5c:75:13:0a:8a:a8:5b:
        c1:1e:34:ab:57:03:d3:0f:5b:22:8c:10:29:ca:69:c8:f2:9c:
        9d:cb:6c:71:94:3a:f9:08:72:80:05:60:c8:a8:ac:7b:ed:06:
        e2:c7:d1:60:1d:93:8e:f7:c7:11:ea:4a:60:8a:ad:7d:18:31:
        56:b2:cd:36:f0:f1:7a:08:89:53:a3:fb:29:e4:b4:da:be:9f:
        73:84:e1:e0:5f:65:23:d8:57:cd:b0:a2:9c:d2:bb:69:71:b4:
        73:83:b4:d1:42:5e:d6:ac:25:76:7d:96:e5:49:90:b9:b8:8f:
        8d:8c:9c:25:8e:7d:06:79:1e:1b:db:d2:8f:70:47:e7:f3:ec:
        5d:25:4c:80:f3:56:47:bd:06:fd:fa:6f:b3:78:37:19:f1:19:
        e3:d3:d6:7c:81:89:58:95:ca:a3:7f:d2:0e:0c:49:4a:d2:98:
        74:6f:0b:6e:98:1f:9d:7c:ee:e3:2c:3f:ee:df:05:86:b4:29:
        62:18:2a:d3:8c:b1:b6:ec:a5:9b:ca:08:19:84:4c:ad:18:d6:
        c4:21:e4:82:11:0f:c6:16:ca:85:ce:92:05:9d:7b:3a:7c:01:
        5c:cc:f7:ce:c1:36:1a:09:c8:c5:1b:0f:cd:a3:20:89:82:ff:
        78:20:b1:4e:34:68:a9:9a:a3:1b:5f:10:e1:96:61:dd:ab:55:
        5b:51:32:13:b7:ff
Clone this wiki locally