How to create a custom certificate and apply to eDirectory LDAP server

  • 7018091
  • 22-Sep-2016
  • 22-Sep-2016

Environment

Novell eDirectory
NetIQ iManager

Situation

How to create / generate a self-signed certificate with a custom Signature algorithm (SHA 2, etc.)
How to change LDAP Encryption Method

Resolution

You can create a custom eDirectory LDAP certificate by completing the following steps:

  1. Create the self-signed certificate:
    • Authenticate to iManager
    • Under the Roles and Tasks section click on NetIQ Certificate Server
    • Click Create Server Certificate
    • Select which LDAP server that will own the server certificate
    • Enter a Nickname for the certificate
    • Under Creation method - select Custom (User Specifies Parameters)
    • Click Next
    • Select how to have the Certificate signed. To have the TREE CA sign, please select the Organizational Certificate Authority Option
    • Click Next
    • Take the default options, unless other customization is needed
    • Click Next
    • Click the drop down for the Signature algorithm and select the preferred option (i.e. SHA 256-RSA (SHA2))
    • Take the defaults for all of the options unless otherwise needed
    • Click Next
    • Select where to place the certificate in the TREE (i.e. Your organization's certificate)
    • Click Next
    • Look over the parameters, if all looks good - Click Finish
    • Click Close

  2. Implement the certificate created above with the intended LDAP Server:
    • Assign the certificate to the LDAP server in iManager:
      • Click the View Objects tab (Magnify Glass)
      • Navigate and Click your LDAP server object
      • In the pop up window Click Modify Object
      • Click the Connections Tab
      • Click the Server Certificate Magnify Glass
      • In the pop up window Click drop down and select the new custom cert
      • Click OK
      • Click Apply
  3. (optional) To verify the new certificate has been loaded, please type the following command on a Linux server:
    echo | openssl s_client -connect ldapserveraddress:636 2>/dev/null | openssl x509 -text
    Note: Refer to the additional info on what this output could look like.

Additional Information

Here is example output from verification step 3 above:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:1c:14:e1:6e:79:9d:06:a1:13:e6:59:eb:fd:63:e9:61:fa:b0:76:0e:87:a7                                                                                                                                                             :f4:4b:34:95:1c:64:a4:02:03:38:5c:dd:0b:c3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=TREENAME, OU=Organizational CA
        Validity
            Not Before: Sep 22 17:20:00 2016 GMT
            Not After : Sep 22 17:20:00 2018 GMT
        Subject: O=SNIELSON2_TREE, CN=sNIelson2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:99:8f:9e:9e:9f:eb:10:82:5b:dc:a6:2b:d7:5a:
                    5e:5f:d6:f5:b8:77:99:86:97:23:b2:11:21:80:da:
                    1e:be:06:da:ee:46:83:24:43:ff:ca:c5:95:0f:ff:
                    82:28:20:b8:b0:61:1a:e8:cd:40:9e:a1:09:b7:99:
                    4d:e8:74:ff:89:c8:7c:ea:41:3c:2f:9d:a5:9d:4e:
                    10:fa:a5:63:ee:23:0b:a3:10:78:9a:ff:3e:fc:63:
                    e9:b6:c6:08:30:12:f1:c4:5f:28:0c:dc:ce:5f:dd:
                    3b:00:0d:e8:19:f1:b0:da:b5:7c:5e:57:f9:25:b0:
                    53:ad:2b:02:ad:b4:0e:df:93:b5:77:fc:86:6f:58:
                    2b:25:2b:3d:72:fc:9e:76:22:3e:95:aa:fd:b2:f6:
                    50:17:91:72:e2:44:68:66:30:27:1a:98:88:cc:1c:
                    b0:23:db:18:29:98:07:46:e6:fb:72:b3:46:b5:a2:
                    62:9e:7b:6e:a1:49:fe:d6:42:ae:30:46:37:7f:87:
                    2c:67:c2:45:29:fe:2c:6f:02:bc:6a:02:f8:7a:91:
                    a4:eb:bd:81:8d:a3:00:e7:e9:d3:73:b2:5d:32:89:
                    03:8c:25:78:ee:c3:41:18:fe:9c:f6:71:60:e7:f5:
                    27:26:1e:54:9e:b9:ee:02:82:8b:1e:65:1f:c2:df:
                    6c:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                CE:39:BE:C5:46:BB:C4:69:17:73:B2:C8:16:3B:28:6F:B5:F9:5F:9B
            X509v3 Authority Key Identifier:
                keyid:C9:F8:38:AA:E2:E7:98:30:B4:CA:43:78:CD:7B:70:32:3B:95:50:F                                                                                                                                                             F

            X509v3 Subject Alternative Name:
                IP Address:151.155.215.93
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            2.16.840.1.113719.1.9.4.1:
                0............Novell Security Attribute(tm).Chttp://developer.nov                                                                                                                                                             ell.com/repository/attributes/certattrs_v10.htm0..H.....0.0......F0.0......
........................0.0......................H0.0......................H.X..                                                                                                                                                             .@..............@.......0.0.....................ny0.0.....................ny.N0L                                                                                                                                                             ........................0.0.................0.0.................
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
        42:11:d8:d1:55:1f:bf:ce:4c:fc:61:8a:11:33:3f:7d:26:1b:
        80:e6:c1:1f:ac:75:29:d2:82:43:9e:f8:aa:75:f5:6f:05:57:
        d9:4f:75:dd:8c:64:ad:96:67:0b:06:fb:cc:96:3a:69:77:37:
        49:19:0e:01:43:2f:77:01:a8:4c:00:02:37:b4:a7:a6:57:2e:
        a4:76:3d:4e:95:8f:da:8c:d5:11:29:a6:1b:75:c1:e4:5d:58:
        ab:08:63:83:e9:4f:8e:6c:f3:53:62:b1:99:30:8b:33:55:13:
        7d:de:b0:d0:4d:09:79:66:13:f9:a5:ed:c4:73:d1:9f:7f:75:
        40:53:5a:5c:53:3f:4c:9b:2a:2d:a8:a0:43:f4:36:25:6c:9a:
        e5:d4:e3:b9:4f:4a:c8:fd:ab:91:7e:92:e9:3c:da:d5:dc:ea:
        b4:dc:c4:9a:62:91:02:26:ee:56:fa:c6:7a:b3:ff:6c:30:86:
        ae:37:d9:c5:9b:ac:a0:d6:62:17:ff:c4:a8:aa:d0:8e:5a:c9:
        c2:6c:33:6e:57:2f:95:3e:3d:32:bd:44:a0:66:30:14:b7:9d:
        64:82:cd:fa:d6:af:c6:8f:f4:15:c6:0b:2d:b9:22:8d:2b:22:
        06:f2:61:b1:e9:c7:32:96:86:32:3c:57:5f:c5:80:80:0b:13:
        d7:84:5d:e3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Feedback service temporarily unavailable. For content questions or problems, please contact Support.