Skip to content

Instantly share code, notes, and snippets.

@NeftaliYagua

NeftaliYagua/LetsEncrypt389DS.md

Forked from plembo/LetsEncrypt389DS.md
Created July 11, 2022 12:41
Show Gist options
  • Save NeftaliYagua/0a85a5ef0f487874f751ce36b9d51ffa to your computer and use it in GitHub Desktop.
Save NeftaliYagua/0a85a5ef0f487874f751ce36b9d51ffa to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt 389 Directory Server
Raw
LetsEncrypt389DS.md

Let's Encrypt the 389 Directory Server

The following procedure is for installing a wildcard cert and key paid from Let's Encrypt for the 389 Directory Server.

  1. Use the 389 Console gui to create a certificate database db and to import the Let's Encrypt certificate chain cert (which will be in PEM format). See secs. 9.1.3.2 and 9.3.3.2 of the Red Hat Directory Server Administration Guide for details.

  2. Create a pin.txt file under /etc/dirsrv/slapd-[instance name]:

Internal (Software) Token:agoodpassword
  1. Convert your key and cert obtained from Let's Encrypt to PKCS12 format:
openssl pkcs12 -export -out myhost.pfx -inkey myhost.key -in myhost.crt -certfile letsencrypt-chain.crt
  1. Import myhost.pfx into the directory server:
pk12util -i myhost.pfx -d /etc/dirsrv/slapd-myserver -W agoodpassword
  1. Verify everything is installed:
certutil -L -d /etc/dirsrv/slapd-myserver
certutil -K -d /etc/dirsrv/slapd-myserver

  1. Enable TLS/SSL in the 389 Console gui following the instructions found in sec. 9.4.1.2 of the Red Hat Directory Administration Guide.

  2. Test connecting to the directory over TLS/SSL:

ldapsearch -LLL -v -x -H ldaps://ldap.example.com:636 -b "dc=example,dc=com" -s base "(objectclass=*)"

ldap_initialize( ldaps://ldap.example.com:636/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment