Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/LetsEncrypt389DS.md

Last active October 7, 2024 13:40
Show Gist options
  • Save plembo/e69720a116f06c3b73452d4e0a9da0e0 to your computer and use it in GitHub Desktop.
Save plembo/e69720a116f06c3b73452d4e0a9da0e0 to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt 389 Directory Server
Raw
LetsEncrypt389DS.md

Let's Encrypt the 389 Directory Server

The following procedure is for installing a wildcard cert and key paid from Let's Encrypt for the 389 Directory Server.

  1. Use the 389 Console gui to create a certificate database db and to import the Let's Encrypt certificate chain cert (which will be in PEM format). See secs. 9.1.3.2 and 9.3.3.2 of the Red Hat Directory Server Administration Guide for details.

  2. Create a pin.txt file under /etc/dirsrv/slapd-[instance name]:

Internal (Software) Token:agoodpassword
  1. Convert your key and cert obtained from Let's Encrypt to PKCS12 format:
openssl pkcs12 -export -out myhost.pfx -inkey myhost.key -in myhost.crt -certfile letsencrypt-chain.crt
  1. Import myhost.pfx into the directory server:
pk12util -i myhost.pfx -d /etc/dirsrv/slapd-myserver -W agoodpassword
  1. Verify everything is installed:
certutil -L -d /etc/dirsrv/slapd-myserver
certutil -K -d /etc/dirsrv/slapd-myserver

  1. Enable TLS/SSL in the 389 Console gui following the instructions found in sec. 9.4.1.2 of the Red Hat Directory Administration Guide.

  2. Test connecting to the directory over TLS/SSL:

ldapsearch -LLL -v -x -H ldaps://ldap.example.com:636 -b "dc=example,dc=com" -s base "(objectclass=*)"

ldap_initialize( ldaps://ldap.example.com:636/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment