Skip to content

Instantly share code, notes, and snippets.

Last active July 11, 2022 12:41
What would you like to do?
Let's Encrypt 389 Directory Server

Let's Encrypt the 389 Directory Server

The following procedure is for installing a wildcard cert and key paid from Let's Encrypt for the 389 Directory Server.

  1. Use the 389 Console gui to create a certificate database db and to import the Let's Encrypt certificate chain cert (which will be in PEM format). See secs. and of the Red Hat Directory Server Administration Guide for details.

  2. Create a pin.txt file under /etc/dirsrv/slapd-[instance name]:

Internal (Software) Token:agoodpassword
  1. Convert your key and cert obtained from Let's Encrypt to PKCS12 format:
openssl pkcs12 -export -out myhost.pfx -inkey myhost.key -in myhost.crt -certfile letsencrypt-chain.crt
  1. Import myhost.pfx into the directory server:
pk12util -i myhost.pfx -d /etc/dirsrv/slapd-myserver -W agoodpassword
  1. Verify everything is installed:
certutil -L -d /etc/dirsrv/slapd-myserver
certutil -K -d /etc/dirsrv/slapd-myserver
  1. Enable TLS/SSL in the 389 Console gui following the instructions found in sec. of the Red Hat Directory Administration Guide.

  2. Test connecting to the directory over TLS/SSL:

ldapsearch -LLL -v -x -H ldaps:// -b "dc=example,dc=com" -s base "(objectclass=*)"

ldap_initialize( ldaps:// )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment