LDAPWiki: Retrieving Edirectory Certificate OpenSSL Toolkit

Overview#

Using the OpenSSL command-line utility, you can retrieve the server's certificate of an eDirectory server, and convert the certificate to a format which can be used to access the secure port of the eDirectory server.

Commands#

This tip provides information only on the commands used while getting the certificate. For more information on other commands, check the man-page of OpenSSL.

s_client - Implements a generic SSL/TLS client that can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only, as it provides only a rudimentary interface functionality, but internally it uses most all the functionality of the OpenSSL library.
x509 - A multi-purpose certificate display and signing utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA," or edit certificate trust settings.

Getting the eDirectory Certificate#

Below are the steps to get the eDirectory certificate.

Display Server certificates

openssl s_client -host <eDirectory server ip>  -port <secure port>  -showcerts

Redirect the output to a file.#

openssl s_client -host 127.0.0.1 -port 636 -showcerts > cert.info

Get the Organizational CA#

Open the cert.info file and search for the Organizational CA, which looks like the example below.

 1 s:/OU=Organizational CA/O=SL-MARA
   i:/OU=Organizational CA/O=SL-MARA
-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgIkAhwR7NDveqBk7Yap75iadAiKO2dyqtAN88Y9aqr+AgIB
DwvfMA0GCSqGSIb3DQEBBQUAMC4xGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENB
MRAwDgYDVQQKEwdTTC1NQVJBMB4XDTA4MDIyNTExMTAwM1oXDTE4MDIyNDExMTAw
M1owLjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExEDAOBgNVBAoTB1NMLU1B
UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWUebnqcj8ewkU7DaH
mQjIMDAdBRp9/a+MeSiskbUlRFOVIHP25jQs5iGpW0keaJyN+8GyDjkoM8SYglpo
wRpEHQ3GZcJTnUU9RjpvVYpVk3/Y02oxlSYt1mSNsCUzsrg8DfLt56nZBzJ1tOpD
RYR9hCYZHc5xaJGl+dhSLE2aPRq9vpwydDAJq4ON8oqyX4ptMgEQZ9rx5kG+KIwr
Vpovd91nkH6rsZXaUQTjytgwbzI4YYyd20BDDddemRrkOW+WGzpsJRvSdSH7E55a
c2IKqXb72JY9mMmKynQ44IxIRux6XYCtNEPpVP7oxYUNl3R/iAiDJo1OSENXx5uP
dgTbAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUgWHHjxqYGvLkeXBfYMN1qEvLIgIw
HwYDVR0jBBgwFoAUgWHHjxqYGvLkeXBfYMN1qEvLIgIwDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92
ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0w
ggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBRjAI
MAYCAQECAQoCAWmiBgIBGAEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAA
AAADCQCAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAII
f/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBA
AAAAAAAAADAYMBACAQACCH//////////AQEAAgQR7NDvMBgwEAIBAAIIf///////
//8BAQACBBHs0O+iTjBMAgECAgIA/wIBAAMNAID//////////////wMJAID/////
////MBIwEAIBAAIIf/////////8BAf8wEjAQAgEAAgh//////////wEB/zANBgkq
hkiG9w0BAQUFAAOCAQEAfKhV9DP7xpMIc0J8Flh3cSCP57mSdeo5CLcjSxgTcTLr
jQqWksg43D7FQwP5F/0xk91QUf/IjNqmcJi/JPTyzl6EnISTyo8viiJJ86a9Fop8
0PgPEK6Kw+HQppOCpRDHwh+cGohbN8X0i+WYP4natjGaf2+kMDLMmmLMUNuOBNwA
3Yg8PdP3jMVzbRCJYNLn9x2t/d/rJUltDMN8QVDIresqgoVyjHiQgGKqqUuVPeWe
XNPlZwknJDuZLbQK790TpoW9vVrIlS0yVobeO7017Dd5Cn77FeJWxW+bsw2cL/A4
B9qHjRp91tJp1pnkuv6XV287XIbUiVKaUwVR8P6efw==
-----END CERTIFICATE-----

Save to File#

Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste to a new file, saving in the format of a .pem file (such as cert.pem).

You can use the .pem format certificate to access the secure port of eDirectory by using openldap client.

Convert from PEM to DER#

Convert the .pem format certificate into .der format by using the x509 command, as shown below.

openssl x509 -in cert.pem -out cert.der -outform der

The .der format certificate can be used to access the eDirectory through via LDAP with the commandline utilities like LDAP search. Use the cert.der to access the secure port of eDirectory server, as follows:

ldapsearch -D cn=admin,o=com -h 127.0.0.1 -p 636 -e cert.der -w passwd  cn=admin

More Information#

There might be more information for this subject on one of the following:

Edirectory Certificate Management

[#1] - Generating an eDirectory Server Certificate using the OpenSSL Tool - based on information obtained 2009-01-22