Longer term self-signed OpenSSL Certificates and Sun DSEE Directory Server
I’ve long had an itch to scratch about the default 3-month duration of self-signed certificates available in Sun DSEE 6.x.
For the initial part, I’ve followed the instructions available at http://www.akadia.com/services/ssh_test_certificate.html.
Create your server’s key
# openssl genrsa -des3 -out server.key 1024
<it will ask for a password, twice>
Make the key use no password, one less thing to remember.
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
We need to generate a certificate signing request, from the Sun Directory Server (DSEE).
cd /path/to/dsadm
./dsadm request-cert –name “ldap.example.com” –org “Example.com” –org-unit “IT” –city “New York” –state “New York” –country “USA” /path/to/ldap > /tmp/server.csr
Sign the certificate request locally, using the key we generated ourselves. In my case, I’m making it good for approximate 10y (3650 days)
# openssl x509 -req -days 3650 -in /tmp/server.csr -signkey server.key -out
server.crt
We now have a cert as server.crt we need to add to the directory keystore
./dsadm import-selfsign-cert /path/to/ldap ‘ldap.example.com’ server.crt
./dsadm restart /path/to/ldap
./dsconf set-server-prop -h hostname -p 389
ssl-rsa-cert-name:ldap.example.com
Thats all it takes to get your server running with a self-signed 10y certificate.
