In order to configure SSL for LDAP on the Windows Server, you must install the MMC snap-in to manage local certificates, create a certificate request, have CER signed by a CA, import the signed certificate into the local keystore, import a CA certificate as a trusted root CA, and then reboot the server for the new configuration to take effect.
Installation of the local certificates MMC snap-in
Install the certificate snap-in for MMC so you can manage the certificates in your local machine keystore. The procedure to install the MMC snap-in is as follows.
1. Start the Management Console (MMC) by selecting Start, then Run. Type mmc /a and select OK.
2. Select the File → Add/Remove Snap-in menu to open the Add/Remove Snap-in dialog.
3. Select the Add button to open the Add Standalone Snap-In dialog. Select the Certificates snap-in and then the Add button.
4. Select the Computer Account option to manage system-wide certificates. Select the Next button to continue.
5. Select the Local Computer option to manage certificates on the local computer only. Select the Finish, Close, and then the OK button to complete the snap-in installation.
6. Select File → Save as and save the console configuration in the %SYSTEMROOT%\system32 directory with a file name of localcert.msc.
7. Create a shortcut in the Administrative Tools folder in your Start menu by selecting right-clicking the Start menu and then Open All Users. Select the Program folder and then the Administrative Tools folder.
8. Select the File → New → Shortcut menu. Then enter the location of the saved console, %SYSTEMROOT%\system32\localcert.msc, in the “Type the location of the item” field. Select Next to continue.
9. Enter the name of the new shortcut, Certificates (Local Computer), in the “Type a name for this shortcut” field.
10.To start the local certificate management tool, select Start → Administrative tools → Certificates (Local Computer).
The certificates used by Active Directory are located in the Console Root → Certificates (Local Computer) → Personal → Certificates folder. The list of trusted root certificates authorities is located in the Console Root →Certificates (Local Computer) → Trusted Certification Authorities →Certificates folder.
Generating Windows Server certificate
You must use the certreq command to generate a certificate request. The certreq command uses a policy file, which specifies the attributes needed to generate a certificate. It contains attributes such as the subject’s common name, certificate key length, and additional key usage extensions. The Active Directory requires that the certificate meet the following requirements:
1. The private key and certificate for the local machine must be imported into the local computer’s personal keystore.
2. The fully qualified domain name (FQDN) for the Active Directory must appear in the common name (CN) in the subject field or DNS entry in the subject alternative name extension.
3. The certificate must be issued by a CA that the domain controller and the LDAP clients trust.
4. The certificate must contain the enhanced key usage extension that specifies the server authentication object identifier (OID) 22.214.171.124.126.96.36.199.1. This OID indicates that the certificate will be used as a SSL server certificate.
Example 1 Creating the certificate request on Windows server™
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
; this is for Server Authentication
C:\>certreq -new client.austin.ibm.com_req.inf client.austin.ibm.com_req.pem
Signing and importing Windows server certificate
After the CER is generated, you must send the request to the certificate authority to be signed. See section “Steps to sign a certificate using openssl” below. After the signed certificate is returned, you must import the certificate into the local machines’s personal keystore.
Example 2 Accepting the signed certificate into local certificate keystore
C:\>certreq -accept client.austin.ibm.com_cert.pem
C:\>certutil -store my
================ Certificate 0 ================
Serial Number: 07
Issuer: Eemail@example.com, CN=CA, O=ibm.com, L=Austin, S=TX, C=us
Cert Hash(sha1): e2 25 17 4d 44 a6 8a 16 a7 da 79 71 ea 12 31 44 2d ab c1 98
Key Container =
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
CertUtil: -store command completed successfully.
Importing Certificate Authority certificate
Until the ibm.com CA is designated as a trusted root, any certificates signed by that CA will be untrusted. You must import the CA’s certificate, using the local certificate management tool, into the Trusted Certification Authorities folder in the local keystore.
To start the local certificate management tool, you need to select Start →Administrative tools → Certificates (Local Computer).
1. After the certificate tool opens, select the /Console Root/Certificates (Local Computer)/Trusted Certification Authorities folder.
2. Start the certificate import wizard by selecting the Action → All Tasks →Import menu. Select the Next button to continue.
3. Select the file you want to import. The ibm.com CA certificate is located in the cacert.pem file. Select the Next button to continue.
4. Select the Place all certificates in the following store option and make sure the certificate store field is set to Trusted Root Certification Authorities. Select the Next button to continue.
5. The CA certificate is now imported. Select the Finish button to close the wizard.
After the CA and server certificates are imported into the local keystore, you can then use the local certificate management tool to check whether the certificates are correctly imported.
Open the Console Root → Certificates (Local Computer) → Personal →Certificates folder and select the certificate issued to client.austin.ibm.com. Open that the certificate issued to client.austin.ibm.com is valid and was issued by the ibm.com CA. The certificate has a corresponding private key in the keystore. The Ensures the identity of the remote computer text indicates that the certificate has the required server authentication key usage defined.
To check the ibm.com certificate, open the Console Root → Certificates (Local Computer) → Trusted Certification Authorities → Certificates folder and select the certificate issued to client.austin.ibm.com.
Note: In order to complete the configuration of SSL for the Active Directory, You must reboot the Windows server.
AIX 5L LDAP Client SSL configuration
You must use the gsk7cmd command to generate a key database and then import the ibm.com CA certificate. This allows the LDAP client to validate that the server’s certificate was issued by a trusted CA. This mitigates the problem with an LDAP client connecting against a rogue server.
Creating key database and importing CA certificate
Below example shows the creation of the certificate management system (CMS) key database and the import of the CA certificate. The first gsk7cmd command creates a CMS key database named /usr/ldap/etc/client_keydb.kdb with a password passw0rd!. The second command adds the ibm.com CA certificate from the /usr/ldap/etc/cacert.pem file into the key database. The trust enable parameter marks the certificate as a trusted root certificate. The third command allows you to check that the certificate was imported correctly into the key database.
Example 1 Creating key database and importing CA certificate on AIX 5L
# gsk7cmd -keydb -create -db /usr/ldap/etc/client_keydb.kdb -pw passw0rd! -type cms -stash
# gsk7cmd -cert -add -db /usr/ldap/etc/client_keydb.kdb -pw passw0rd! -label "ibm.com CA Certificate" -format binary -trust enable -file /usr/ldap/etc/cacert.pem
# gsk7cmd -cert -details -db /usr/ldap/etc/client_keydb.kdb -pw passw0rd! -label "ibm.com CA Certificate"
<List the certificate details>
Example 2 Low-level SSL validation using the openssl s_client
# openssl s_client -ssl2 -connect server.austin.ibm.com:636 -CAfile /usr/ldap/etc/cacert.pem -showcerts
<Check the return code, it should be 0>
Example 3 Testing LDAP over SSL using ldapsearch command
# ldapsearch -b 'cn=Users,dc=ibm,dc=com' -h server.austin.ibm.com -s base -Z -p 636 -K /usr/ldap/etc/client_keydb.kdb -P 'passw0rd!' -D 'dc=ibm,dc=com' -w 'passw0rd!' '(objectclass=*)'
<List the objects>
Note: If you want to deploy same key in other AIX clients, you just need to copy cacert.pem to you machine and then run the above mentioned commands in example 1 of section "Creating key databse and importing CA certificate".
Steps to Sign a certificate using OpenSSL
1. Certificate Authority Setup (One time setup).
2. Make sure openssl installed on your machine.
Creating the CA Certificate
To set up the CA for the ibm.com domain we need to make some assumptions. We modify the openssl.cnf to reflect these assumptions to the CA. The file can be found at /var/ssl/openssl.cnf and the interesting sections are shown in below example.
Example: 1 openssl.cnf
[ CA_default ]
dir = /var/ssl/ibm.com # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = yes
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
# must be commented out to leave a V1
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
copy_extensions = copy
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = us
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = TX
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = ibm.com
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
Also, the directories to store the certificates and keys must be created:
mkdir /var/ssl/ibm.com /var/ssl/ibm.com/certs /var/ssl/ibm.com/crl
OpenSSL is using a couple of files, which it uses to maintain the CA. These files must be created:
echo "01" >> /var/ssl/ibm.com/serial
The access rights on the directories and files should be reviewed to restrict access to the CA and, most importantly, to the private key as far as possible. To create the CA certificate the OpenSSL command is issued directly, as shown In below example.
Example: 2 Generating the CA certificate
# openssl req -new -x509 -keyout /var/ssl/ibm.com/private/cakey.pem -out /var/ssl/ibm.com/cacert.pem
Generating a 1024 bit RSA private key
writing new private key to '/var/ssl/ibm.com/private/ibm.com.CA.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [us]:
State or Province Name (full name) [TX]:
Locality Name (eg, city) : Austin
Organization Name (eg, company) [ibm.com]:
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) :CA
Email Address :CA@ibm.com
During the creation of the certificate missing information must be provided. Also, the information that has been defined as default in the openssl.cnf file must be confirmed. The password for the CA private key must be given during the creation process. This password is needed whenever the CA’s private key is used. The certificate can be displayed as in below example.
Example: 3 Certificate fields
# openssl x509 -in cacert.pem -text
<Display certificate details>
Below example shows a certificate with extensions for key usage.
Example: 4 Certificate for client
# cd /var/ssl/ibm.com
# openssl ca -policy policy_anything -cert cacert.pem -keyfile private/cakey.pem -out client.austin.ibm.com_cert.pem -in client.austin.ibm.com_req.pem
Using configuration from /var/ssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
DEBUG[load_index]: unique_subject = "no"
Check that the request matches the signature
Serial Number: 7 (0x7)
Not Before: Sep 21 16:56:42 2010 GMT
Not After : Sep 21 16:56:42 2011 GMT
commonName = server.austin.ibm.com
X509v3 Basic Constraints:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Certificate is to be certified until Sep 21 16:56:42 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated