Search
SupportConsoleDevelopersStart a trialContact

10.5. Updating the TLS Certificates Used for Attribute Encryption

download PDF
Attribute encryption is based on the TLS certificate. To prevent that attribute encryption fails after renewing or replacing the TLS certificate:
  1. Export the database with decrypted attributes. See Section 10.4.1, “Exporting an Encrypted Database”.
  2. Create a new Certificate Signing Request (CSR). See Section 9.3.1, “Creating a Certificate Signing Request”.
  3. Install the new certificate. See Section 9.3.4, “Installing a Server Certificate”.
  4. Stop the Directory Server instance: 
    # dsctl instance_name stop
  5. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file and remove the following entries including their attributes:
    • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config

    Important

    Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server will fail to start.
  6. Import the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
  7. Start the instance: 
    # dsctl instance_name start
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.