Changing Server Certificates

Changing Server Certificates Certificates OpenDJ uses key stores (for private keys) and trust stores (for public, signed certificates). Up to three sets of key stores are used, as shown in the following illustration. OpenDJ uses different sets of public and private keys for different secure connections. By default the key stores are located in the /path/to/OpenDJ/config directory. The keystore and truststore hold keys for securing connections with client applications. The admin-keystore and admin-truststore hold keys for securing administrative connections, such as those used when connecting with the dsconfig command. The ads-truststore holds keys for securing replication connections with other OpenDJ servers in the replication topology. Each key store has a specific purpose. admin-keystore This Java Key Store holds the private key corresponding to the administrative certificate, admin-cert, used to protect communications on the administration port, and for replication. The password is stored in admin-keystore.pin. admin-truststore This Java Key Store holds the public administrative certificate, admin-cert, corresponding to the private key having the same alias in the admin-keystore. The password is the same as for the admin-keystore, in other words the string in admin-keystore.pin. ads-truststore This Java Key Store holds public keys of all servers participating in the replication topology including the current server, and also holds the private key of the current server. The password is stored in ads-truststore.pin. Do not change this key store directly. keystore This Java Key Store holds the private key corresponding to the server certificate used to protect TLS/SSL communications with client applications. The password is stored in keystore.pin. truststore This Java Key Store holds the public server certificate corresponding to the private key having the same alias in the keystore. The password is the same as for the keystore, in other words the string in keystore.pin. Examples in this chapter use self-signed certificates, but you can also use CA-signed certificates. When importing a certificate (keytool -import) signed by a well-known CA, use the option to trust the CA certificates delivered with the Java runtime environment. To Replace a Server Key Pair This procedure shows how to replace a server key pair in the admin-truststore and corresponding private key in the admin-keystore. The examples also apply when replacing a key pair in the keystore and truststore, provided that you change they keystore and PIN names in the commands. This procedure does not apply for replication key pairs. Instead, see . List information about the contents of the key store and trust store whose contents you want to replace. $ cd /path/to/OpenDJ/config $ keytool -list -v -keystore admin-keystore -storepass `cat admin-keystore.pin` Remove the certificate to replace from the keystore and from the trust store. $ keytool -delete -alias admin-cert -keystore admin-keystore -storepass `cat admin-keystore.pin` $ keytool -delete -alias admin-cert -keystore admin-truststore -storepass `cat admin-keystore.pin` Generate the private key, storing it in the key store. $ keytool -genkey -alias admin-cert -keyalg RSA -dname "CN=opendj.example.com, O=Administration Connector Self-Signed Certificate" -keystore admin-keystore -storepass `cat admin-keystore.pin` -keypass `cat admin-keystore.pin` You might choose to make the key valid for 20 years with . Self-sign what you generated. $ keytool -selfcert -alias admin-cert -keystore admin-keystore -storepass `cat admin-keystore.pin` Alternatively, request and install a CA-signed certificate as described in the section on Preparing For Secure Communications. Export the certificate from the key store. $ keytool -export -alias admin-cert -keystore admin-keystore -storepass `cat admin-keystore.pin` -file admin-cert.crt Certificate stored in file <admin-cert.crt> Import the certificate into the trust store. $ keytool -import -alias admin-cert -keystore admin-truststore -storepass `cat admin-keystore.pin` -file admin-cert.crt Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate Issuer: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate Serial number: 4e0321c6 Valid from: Thu Jun 23 13:21:42 CEST 2011 until: Wed Sep 21 13:21:42 CEST 2011 Certificate fingerprints: MD5: 5C:4B:CC:9A:37:E2:71:BD:C4:86:8E:FC:D4:37:39:57 SHA1: 70:D0:36:0D:EB:0D:AC:45:6D:A4:EF:8A:8E:CB:C7:04:7D:3A:EE:6E Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore Restart OpenDJ to make sure it reloads the key stores. $ stop-ds --restart If you have client applications trusting the self-signed certificate, have them import the new one (admin-cert.crt in this example). To Replace the Key Pair Used for Replication Follow these steps to replace the key pair that is used to secure replication connections. Delete the key pair used by this server to secure replication connections. The change is replicated across the topology. Identify the key ID of the certificate used by this server by searching the administrative data using the host name and administration port for this server. The server in this example is installed on opendj.example.com with administration port 4444. $ ldapsearch --port 1389 --hostname opendj.example.com --baseDN "cn=admin data" "(cn=opendj.example.com:4444)" ds-cfg-key-id dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data ds-cfg-key-id: 4F2F97979A7C05162CF64C9F73AF66ED The key ID in this case is 4F2F97979A7C05162CF64C9F73AF66ED. Using the key ID, delete the certificate. $ ldapmodify --port 1389 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password dn: ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED,cn=instance keys,cn=admin data changetype: delete Processing DELETE request for ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED, cn=instance keys,cn=admin data DELETE operation successful for DN ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED ,cn=instance keys,cn=admin data Generate a new key pair for the server. The changes you perform are replicated across the topology. OpenDJ has an ads-certificate and private key, which is a local copy of the key pair used to secure replication connections. To generate the new key pair, you remove the ads-certificate key pair, prompt OpenDJ to generate a new ads-certificate key pair, and then add a copy to the administrative data using the MD5 fingerprint of the certificate to define the RDN. Delete the ads-certificate entry. $ ldapmodify --port 1389 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore changetype: delete Processing DELETE request for ds-cfg-key-id=ads-certificate,cn=ads-truststore DELETE operation successful for DN ds-cfg-key-id=ads-certificate, cn=ads-truststore Prompt OpenDJ to generate a new, self-signed ads-certificate key pair. You do this by adding an ads-certificate entry with object class ds-cfg-self-signed-cert-request. $ ldapmodify --port 1389 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore changetype: add objectclass: ds-cfg-self-signed-cert-request Processing ADD request for ds-cfg-key-id=ads-certificate,cn=ads-truststore ADD operation successful for DN ds-cfg-key-id=ads-certificate,cn=ads-truststore Retrieve the ads-certificate entry. $ ldapsearch --port 1389 --hostname opendj.example.com --baseDN cn=ads-truststore "(ds-cfg-key-id=ads-certificate)" dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore ds-cfg-key-id: ads-certificate ds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q objectClass: top objectClass: ds-cfg-instance-key Retrieve the MD5 fingerprint of the ads-certificate. In this example, the MD5 fingerprint is 07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C. $ keytool -list -v -alias ads-certificate -keystore /path/to/OpenDJ/config/ads-truststore -storepass `cat /path/to/OpenDJ/config/ads-truststore.pin` Alias name: ads-certificate Creation date: Feb 7, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=opendj.example.com, O=OpenDJ Certificate Issuer: CN=opendj.example.com, O=OpenDJ Certificate Serial number: ca49416 Valid from: Thu Feb 07 11:30:33 CET 2013 until: Wed Feb 02 11:30:33 CET 2033 Certificate fingerprints: MD5: 07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C SHA1: 56:30:F6:79:AA:C0:BD:61:88:3E:FB:38:38:9D:84:70:0B:E4:43:57 SHA256: A8:4B:81:EE:30:2A:0C:09:2E:...:C1:41:F5:AB:19:C6:EE:AB:50:64 Signature algorithm name: SHA1withRSA Version: 3 Using the MD5 fingerprint and the certificate entry, prepare LDIF to update cn=admin data with the new server certificate. $ cat /path/to/update-server-cert.ldif dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys, cn=admin data changetype: add ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C ds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q objectClass: top objectClass: ds-cfg-instance-key dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data changetype: modify replace: ds-cfg-key-id ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C Update the administrative data, causing OpenDJ to create a copy of the new ads-certificate with its MD5 signature as the alias in the ads-truststore. $ ldapmodify --port 1389 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --filename /path/to/update-server-cert.ldif Processing ADD request for ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C, cn=instance keys,cn=admin data ADD operation successful for DN ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C, cn=instance keys,cn=admin data Processing MODIFY request for cn=opendj.example.com:4444,cn=Servers, cn=admin data MODIFY operation successful for DN cn=opendj.example.com:4444,cn=Servers, cn=admin data Force OpenDJ to reopen replication connections using the new key pair. Stop replication temporarily and then start it again as described in the Administration Guide section on Configuring Replication. $ dsconfig set-synchronization-provider-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:false --no-prompt $ dsconfig set-synchronization-provider-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:true --no-prompt