The K Blag

I needed to determine the update time for a particular attribute for one of my customers.  I knew I had ran across how to get it from a csn attribute.

If you can obtain the CSN of an attribute, ie: from the nscpentrywsi operational attribute), the timestamp is the first 8 bytes of the CSN, in hex format.

ie:

nscpentrywsi: cn;adcsn-494d685d000000010000;vucsn-494d685d000000010000: The K

The timestamp in hex is: 494d685d

With a bit of perl magic, we can obtain the localtime value:

perl -e ‘print localtime(hex(”494d685d”)) . “\n”;’

Which returns:

Sat Dec 20 16:49:17 2008

bookmark to

I’ve long had an itch to scratch about the default 3-month duration of self-signed certificates available in Sun DSEE 6.x.

For the initial part, I’ve followed the instructions available at http://www.akadia.com/services/ssh_test_certificate.html.

Create your server’s key

# openssl genrsa -des3 -out server.key 1024

<it will ask for a password, twice>

Make the key use no password, one less thing to remember.

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

We need to generate a certificate signing request, from the Sun Directory Server (DSEE).

cd /path/to/dsadm

./dsadm request-cert –name “ldap.example.com” –org “Example.com” –org-unit “IT” –city “New York” –state “New York” –country “USA” /path/to/ldap > /tmp/server.csr

Sign the certificate request locally, using the key we generated ourselves.  In my case, I’m making it good for approximate 10y (3650 days)

# openssl x509 -req -days 3650 -in /tmp/server.csr -signkey server.key -out
server.crt

We now have a cert as server.crt we need to add to the directory keystore

./dsadm import-selfsign-cert /path/to/ldap ‘ldap.example.com’ server.crt

./dsadm restart /path/to/ldap
./dsconf set-server-prop -h hostname -p 389
ssl-rsa-cert-name:ldap.example.com

Thats all it takes to get your server running with a self-signed 10y certificate.

bookmark to