Perl LDAPS and Certificates

Perl LDAPS and Certificate#

By default, when building a Net::LDAPS connection object, the SSL session will be constructed without verification of the certificate used to encrypt the session.

For a truly secure session, this attribute should be set:

verify => 'require'

This requires some additional setup. Every LDAP server has a certificate signed by the Organizational CA of the eDirectory tree (e.g. B1LDAP-QA) that it is part of. eDirectory provides tools to export X.509 certificates in .der and .b64 encoded formats. Perl's Net::LDAPS needs certificates that are PEM encoded.

OpenSSL provides a conversion ability as shown in this Example:

openssl x509 -in CA.der -inform der -out CA.pem -outform PEM

These excerpts (from here and here) describe how to use these certificates:

capath => '/path/to/servercerts/'
cafile => '/path/to/servercert.pem'
When verifying the server's certificate, either set capath to the
pathname of the directory containing CA certificates, or set cafile to
the filename containing the certificate of the CA who signed the
server's certificate. These certificates must all be in PEM format.

The directory in 'capath' must contain certificates named using the
hash value of the certificates' subject names. To generate these
names, use OpenSSL like this in Unix:
    ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0

(assuming that the certificate of the CA is in cacert.pem.)

To create PEM encoded certificates from a directory full of .der files, here is a script Example code to help accomplish the task:

for file in `ls *.der`; do
  echo "Processing $file..."
  export PEMfile="`basename $file .der`.pem"
  openssl x509 -in $file -inform der -out $PEMfile -outform PEM
  ln -s $PEMfile `openssl x509 -hash -noout < $PEMfile`.0

More Information#

There might be more information for this subject on one of the following: