Skip to content

Configuring Client Certificate Authentication to Internal Database

Endi S. Dewata edited this page Mar 27, 2024 · 7 revisions

Overview

This document describes the procedure to enable client certificate authentication from PKI server to the internal database. It assumes that the secure connection to the internal database has been enabled.

Configuring Certificate Mapping in DS

Export PKI CA’s signing certificate into a PEM file:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -n "caSigningCert cert-pki-tomcat CA" -a > pkica.pem

Import the PEM file into DS server’s NSS database:

$ certutil -A -d /etc/dirsrv/slapd-pki-tomcat -n "PKI CA certificate" -t "CT,C,C" -i pkica.pem

Verify with the following command:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat

Configure DS certificate mapping in /etc/dirsrv/slapd-pki-tomcat/certmap.conf:

certmap example         CN=CA Signing Certificate,O=EXAMPLE
example:CmapLdapAttr    seeAlso
example:verifycert      on

This will map the subsystem certificate to pkidbuser since pkidbuser has a seeAlso attribute containing the subsystem certificate’s subject DN.

Restart the DS server:

$ systemctl restart [email protected]

Verify that the client certificate exists in PKI server’s NSS database:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -n "subsystemCert cert-pki-tomcat"

Verify with openldap-clients and PEM files:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "Directory Server CA certificate" -a \
    > dsca.pem
$ pki -d /var/lib/pki/pki-tomcat/alias -C /var/lib/pki/pki-tomcat/conf/password.conf \
    client-cert-show "subsystemCert cert-pki-tomcat" --cert subsystem.pem --private-key subsystem.key
$ LDAPTLS_CACERT=dsca.pem \
    LDAPTLS_CERT=subsystem.pem \
    LDAPTLS_KEY=subsystem.key \
    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret.123 \
    -b "dc=example,dc=com" "(objectClass=*)"

or with openldap-clients and NSS database:

$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' \
    > /var/lib/pki/pki-tomcat/alias/password.txt
$ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/alias/password.txt
$ chmod 400 /var/lib/pki/pki-tomcat/alias/password.txt
$ LDAPTLS_CACERTDIR=/var/lib/pki/pki-tomcat/alias \
    LDAPTLS_CERT="subsystemCert cert-pki-tomcat" \
    LDAPTLS_KEY=/var/lib/pki/pki-tomcat/alias/password.txt \
    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret.123 \
    -b "dc=example,dc=com" "(objectClass=*)"

Configuring Client Certificate Authentication in PKI Server

Configure PKI server to use the client certificate by editing /var/lib/pki/pki-tomcat/<subsystem>/conf/CS.cfg:

internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-tomcat

Remove the unused internaldb.ldapauth.bindDN and internaldb.ldapauth.bindPWPrompt parameters.

Restart PKI server:

$ systemctl restart [email protected]

Verify that PKI server authenticates against the DS using client certificate with the following command:

$ pki ca-cert-find

See Also

Clone this wiki locally