Overview#

You can obtain a Certificate using LDAP by providing the hostname and port for the service using the openSSL client or using LDAP.

Using openSSL#

As an Example:
openssl s_client -showcerts -connect ldap.yourdomain.com:636

CONNECTED(00000003)
depth=1 /CN=willeke.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=WILLEKETREE/CN=sa.willeke.com
   i:/CN=willeke.com
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgIkAhwR/6TVLmdRY6hHxvUFWc0+Enmu/Hu6cj+G2FIdAgID
aFXCMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNVBAMMC3dpbGxla2UuY29tMB4XDTA5
MDgwNTE5MTMwMFoXDTM2MDIwMzIzNTgwMFowLzEUMBIGA1UEChMLV0lMTEVLRVRS
RUUxFzAVBgNVBAMTDnNhLndpbGxla2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAxZDnmHNZdonG99AIp8Wcrc1Scxl8DLFjGfaUjGBR8pO+7+HF
uB26kgjVkmLt2/J3bMbpka/p1ka9yvJqUSR9Su1To1ADrhWvodmZ1nyCfqqovUiw
MNZw1QsvXbJDEj66kdfEkoP5eI/B8B3voOVbaBCfPoxL0ilsG0dvq9Rz+dd7/qtH
5rYPkhhMij+3HwZnYvDGM4auUq+MT9BTO0GD2ga3AwC56hAG+tz6JL0RMD4qp3Sx
O0P0lATFOhfkhn9yFNeNC35TtpnyXe0oYIlLnV49BQwe2e8sRTdnr9IX44PEZa79
ONydv+pcUFpNvR1klLp/NlkDuewUa4cEtuE88QIDAQABo4ICRzCCAkMwHQYDVR0O
BBYEFJDDyRT3FBPTsb23TorF8tSRioBvMB8GA1UdIwQYMBaAFFxQC2nmUVScjATx
WWNKCm7sJTk9MA8GA1UdEQQIMAaHBMCoAQgwCwYDVR0PBAQDAgWgMIIBzAYLYIZI
AYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1
dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3NpdG9yeS9h
dHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEAMAgwBgIBAQIBRjAI
MAYCAQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEAAgEAogYCARcBAf+j
ggEEoFgCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEA
Agh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IoVgC
AQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAwGDAQAgEAAgh/////
/////wEBAAIEEf+k1TAYMBACAQACCH//////////AQEAAgQR/6TVok4wTAIBAgIB
AAICAP8DDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADASMBACAQACCH//////////
AQEAMBIwEAIBAAIIf/////////8BAQAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJ
KoZIhvcNAQEFBQADggEBAHyT3ibpKm9RjhME65E6gy+ihP0WjBd7sRzqXaTpk3qi
sZpoZOHhp1risw0HEDrEhFn0oB3Ri4aRudgt7gW+g13mFfIrERC/g17zf6O8XhyY
oPPJA+lHqh438MaHYbh08h/WyO0drvjmApxH+ILgP2FZXoOH0XyxhXcji5Kp3eee
uat9KUY/PslZI/VK8smO9lQWEQZVQAZeEQby9Z/g/qD6pgjsqWQgmoyXHX549mpV
oHPlEieOCQN1Wohd7gyempBjlIDl5X/lqo0/jx4P4cSFC7McIofn4KhVaTmrs0W6
BjfyI9d8xdBxn35b/cVTieyHnWHmU7ClB/IDh8DeraM=
-----END CERTIFICATE-----
 1 s:/CN=willeke.com
   i:/CN=willeke.com
-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgIkAhwR/6TVLmdRY6hHxvUFWc0+Enmu/Hu6cj+G2FIdAgIC
IS07MA0GCSqGSIb3DQEBBQUAMBYxFDASBgNVBAMMC3dpbGxla2UuY29tMB4XDTA5
MDIxODE1MjYwMFoXDTM2MDIwMzIzNTkwMFowFjEUMBIGA1UEAwwLd2lsbGVrZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC61KKmihkXMIuO02GW
pZnXd7fpc3gc8hfX2qQPU//+9sllT3G2R/gUPxTc7Yv6Wvfl4wgZe7E/QEe6r4yf
IWRLGly+OTHhMiJll7jhElez8HiGo5uzGD31M830yBiBDaVsNcc9EIPFC8kznVCV
oeG6p9PmBuBAGsaHalQPemvM0A5aYeddMKP3weLCY2iakxmm+gCKcPTEMDo6EZQe
dOMXJSanhr/qN5BEqFhfJIDe6T6R1rwp6BvE9CztSCsqXW5Z3SDO+EAFmjYrdOjx
gEY4qMrCxDlO/0dNjS9ShHcihjdhirQshYyXhdPwd4pYbzv9sejlkkvPsV+RQKAC
eJ6dAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUXFALaeZRVJyMBPFZY0oKbuwlOT0w
HwYDVR0jBBgwFoAUXFALaeZRVJyMBPFZY0oKbuwlOT0wDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92
ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0w
ggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAI
MAYCAQECAQACAQCiBgIBGAEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAA
AAADCQCAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAII
f/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBA
AAAAAAAAADAYMBACAQACCH//////////AQEAAgQR/6TVMBgwEAIBAAIIf///////
//8BAQACBBH/pNWiTjBMAgECAgIA/wIBAAMNAID//////////////wMJAID/////
////MBIwEAIBAAIIf/////////8BAf8wEjAQAgEAAgh//////////wEB/zANBgkq
hkiG9w0BAQUFAAOCAQEAHGLjz3FMOsQF1BpdSFv+RB678QWXUjasvypoY1MOXQPM
t12xLlZ/trRmGcZUO8q/UP64Pk+UgeFUKjcBtj+H7PJcjTj4LNO8Qv9iTPlnm1/T
JI+vdpc5eSUpI9J+4QYvMoUEVARtZ57vebPOLkJcT94kRyMVyE+jgU7ULnhLSL3X
n7gYzS5N5ZbmggVV0pEtcpXJTBolDnmA5l6NosVIOM7X/sgSa3cIFNrRsv/+Tkxj
ff0lJoiFZS0t40iwvyD6ncViapSrt/2Nhd08hGDZ/ASa6/YkGvkfPTRv2waKPHD6
l6otw814+oxbN3kqi9KadwfauSa2gKLp4yanHjLi5A==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=WILLEKETREE/CN=sa.willeke.com
issuer=/CN=willeke.com
---
No client certificate CA names sent
---
SSL handshake has read 2772 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: D3D1910519267B6C0C85510E6729BFD6FD42323A63B4F224BB1F1F860D2E9EFB
    Session-ID-ctx: 
    Master-Key: EC74C6B5E3016BD901524A4D5569F9EA0A2B10C4DB687EBC8CC9628D8293AC46108C8985B2760A09A85B1CA719A2A8B4
    Key-Arg   : None
    Start Time: 1352639875
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

0$x
?1.3.6.1.4.1.1466.20036closed

Using ldapsearch command utility #

We do a lot of automation of installation and maintenance using scripts and tricks.

We often use ldapsearch command utility on Linux and OS X machines.

The process we show here only works with EDirectory, but it maybe able to be used on other LDAP Server Implementations with slight modifications.

The process would be similar to:

For using ldapsearch command utility:

ldapsearch -x -T ~/ -t -h your-edirectory-host.yourdomain.com -b "cn=Security" objectclass=nDSPKICertificateAuthority cACertificate

This will create file in the home directory of the user similar to:

ldapsearch-cACertificate-FS7uCC

You can then run this OpenSSL command to convert to PEM (base64) format:

openssl x509 -inform der -in ~/ldapsearch-cACertificate-FS7uCC -out ~/trustedroot.pem
The resulting trustedroot.pem file will be a txt file you can use.

Using modified InstallCert (a Java program)#

java -jar installcert-usn-20131123.jar your-host.yourdomain:port

The modified program is capable of obtaining SSL/TLS certificates from LDAP/STARTTLS servers as well as from ordinary LDAPS servers. It will display information on every obtained certificate and ask whether you would like to save them. The certificates are saved in Java KeyStore (JKS) format in the jssecacerts file in your JRE file tree, and also in the extracerts file in your current directory. You can then use Java keytool to export the certificate(s) to other formats.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-16) was last changed on 28-Jan-2017 10:02 by jim