Red Hat SummitChapter 5. Changing the CA trust flags
The certificate authority (CA) trust flags define for which scenarios Directory Server trusts a CA certificate. For example, you set the flags to trust the certificate for TLS connections to the server and for certificate-based authentication.
5.1. Changing the CA trust flags using the command line
You can set the following trust flags on a certificate authority (CA) certificate:
-
C: Trusted CA -
T: Trusted CA client authentication -
c: Valid CA -
P: Trusted peer -
p: Valid peer -
u: Private key
You specify the trust flags comma-separated in three categories: TLS, email, object signing
For example, to trust the CA for TLS encryption and certificate-based authentication, set the trust flags to CT,,.
Prerequisites
- You imported a CA certificate to the network security services (NSS) database.
Procedure
Use the following command to change the trust flags of a CA certificate:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate set-trust-flags "Example CA" --flags "trust_flags"
Verification
Display all certificates in the NSS database:
#
certutil -d /etc/dirsrv/slapd-instance_name/ -LCertificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Example CA CT,,
Additional resources
-
The
certutil(1)man page
5.2. Changing the CA trust flags using the web console
You can use the web console to change the CA trust flags.
Prerequisites
- You imported a CA certificate to the network security services (NSS) database.
Procedure
-
Navigate to
. -
Click icon next to the CA certificate, and select
Edit Trust Flags. Select the trust flags.
- Click
Verification
-
Navigate to
. - Click next to the CA certificate to display the trust flags.
