Chapter 6. Renewing a TLS certificate

Procedure

1. Create a private key and a certificate signing request (CSR). Skip this step if you want to create them using an external utility.

   • If your host is reachable only by one name, enter:

     # dsctl instance_name tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization"

   • If your host is reachable by multiple names:

     # dsctl instance_name tls generate-server-cert-csr -s "CN=server.example.com,O=example_organization" server.example.com server.example.net

     If you specify the host names as the last parameter, the command adds the Subject Alternative Name (SAN) extension with the DNS:server.example.com, DNS:server.example.net entries to the CSR.

   The string specified in the -s subject parameter must be a valid subject name according to RFC 1485. The CN field in the subject is required, and you must set it to one of the fully-qualified domain names (FQDN) of the server. The command stores the CSR in the /etc/dirsrv/slapd-instance_name/Server-Cert.csr file.

2. Submit the CSR to the certificate authority (CA) to get a certificate issued. For further details, see your CA’s documentation.
3. Store both the CA certificate and the server certificate in the /root/ directory.

4. Import the server certificate issued by the CA to the NSS database, using one of the following options:

   • If you created the private key using the dsctl tls generate-server-cert-csr command, enter:

     # dsconf -D "cn=Directory Manager" ldap://server.example.com security certificate add --file /root/instance_name.crt --name "server-cert" --primary-cert

     Remember the name of the certificate you set in the --name _certificate_nickname parameter. You require it in a later step.

   • If you created the private key using an external utility, import the server certificate and the private key:

     # dsctl instance_name tls import-server-key-cert /root/server.crt /root/server.key

     Note that the command requires you to specify the path to the server certificate first and then the path to the private key. This method always sets the nickname of the certificate to Server-Cert.

5. Import the CA certificate to the NSS database:

   # dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate add --file /root/ca.crt --name "Example CA"

6. Set the trust flags of the CA certificate:

   # dsconf -D "cn=Directory Manager" ldap://server.example.com security ca-certificate set-trust-flags "Example CA" --flags "CT,,"

   This configures Directory Server to trust the CA for TLS encryption and certificate-based authentication.

7. Stop the instance:

   # dsctl instance_name stop

8. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file, and remove the following entries including their attributes:

   • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
   • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
   Important

   Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server will fail to start.

9. Start the instance:

   # dsctl instance_name start