http://blogs.sun.com/roller/page/baban? … _ssl_using
Directory server side 
The following shows how to setup Sun Directory Server 5.2 and Solaris LDAP 
client for SSL. I have tried to give openssl, certutil, PEM, DER examples (and 
Directory server console at some places) to achieve the same result. 
Assumptions
myhost.test.sun.com == fully qualified hostname of the Directory server.
/var/mps/serverroot == serverroot for the Directory server.
dc=sun,dc=com == Directory server already setup with this suffix
# openssl is delivered in /usr/sfw/bin on Solaris 10 
# Please refer to appropriate manpages for description of various command-line 
options used below.
 
DER and PEM
DER: a binary format
PEM: base-64 encoded DER format with header and footer
certutil: Default is DER. For PEM, use -a
openssl: Default is PEM. For DER, use -inform DER and/or -outform DER
 
Create Test CA
1. openssl
# The /usr/sfw/bin/CA.pl script will create a directory structure either under 
the current working directory or under /etc/sfw/openssl depending upon the 
version of openssl you are using. I suggest checking the value of 
CATOP 
variable in /usr/sfw/bin/CA.pl.
If you want to create CA under /CA/cacertdb :
mkdir -p /CA/cacertdb; cd /CA/cacertdb
Modify 
CATOP in /usr/sfw/bin/CA.pl to /CA/cacertdb
Modify 
dir under 
[ CA_default ] in /etc/sfw/openssl/openssl.cnf to 
/CA/cacertdb
perl /usr/sfw/bin/CA.pl -newca
# Default name for CA cert is cacert.pem
2. certutil
# Create CA certificate DB
mkdir -p /CA/cacertdb
certutil -N -d /CA/cacertdb -P ca-
# Create a self-signed CA certificate
certutil -S -x -n ca-cert -s cn=CA Certificate certutil,ou=TEST,o=Sun 
Microsystems Inc.,l=Menlo Park,st=CA,c=US -t CTPu -v 120 -d /CA/cacertdb -P 
ca- -5
# when prompted, select (5) SSL CA and ‘y’ for critical extensions
# Export the CA cert into an output file in PEM format
certutil -L -d /CA/cacertdb -P ca- -n ca-cert -a > cacert.pem
 
Create NSS DB for Directory server
1. Console
Use the Directory server console => Manage Certificates. The DB is created when 
trying to use any of the certificate functions for the first time. With the new 
DS6.0 directory server, the NSS DB will be created when creating the server 
instance so this step won’t be necessary
2. certutil
certutil -N -d /var/mps/serverroot/alias -P slapd-myhost-
# Remember the password you have given
 
Generate Certificate Signing Request (CSR) for server cert
1. Console
Use the Directory server console => Manage Certificates to generate CSR and save 
it to a file
2. certutil
certutil -R -s cn=myhost.test.sun.com,ou=TEST,o=Sun Microsystems 
Inc.,l=Menlo Park,st=CA,c=US -o DER.csr -d /var/mps/serverroot/alias -P 
slapd-myhost-
3. openssl
# Generate 2048-bit RSA private key
openssl genrsa -out privkey.pem 2048
# OR Generate 2048-bit DSA private key
openssl dsaparam -out DSAparam.pem 2048
openssl gendsa -out privkey.pem DSAparam.pem
# Generate the certificate request
openssl req -new -key privkey.pem -out PEM.csr
# Display the content and public key from the certificate request
openssl req -in PEM.csr -text -pubkey
 
Sign CSR using Test CA
1. certutil
# Sign DER CSR
certutil -C -c ca-cert -i DER.csr -o ./cert.der -v 12 -d /CA/cacertdb -P 
ca- -5
# Sign PEM CSR
certutil -C -c ca-cert -a -i PEM.csr -o ./cert.pem -v 12 -d /CA/cacertdb -P 
ca- -5
2. openssl
openssl ca -policy policy_anything -cert cacert.pem -in PEM.csr -out 
./cert.pem 
 
Import signed certs into NSS DB
1. Console
Use Manage Certificates tab to import pem certificates
2. certutil
# Import PEM server cert
certutil -A -a -n server-cert -i ./cert.pem -t Pu -d 
/var/mps/serverroot/alias -P slapd-myhost-
# Import DER server cert
certutil -A -n server-cert -i ./cert.der -t Pu -d /var/mps/serverroot/alias 
-P slapd-myhost-
# Import PEM CA cert
certutil -A -a -n ca-cert -i cacert.pem -t CT -d /var/mps/serverroot/alias 
-P slapd-myhost-
# List the contents
certutil -L -d /var/mps/serverroot/alias -P slapd-myhost-
# List the contents of a specific cert
certutil -L -d /var/mps/serverroot/alias -P slapd-myhost- -n server-cert
3. openssl
# Import openssl certificates/keys into NSS DB. Convert cert, key and CA cert 
into pkcs12 format
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem 
-name MY CERTIFICATE -out mycert.p12
# Import it into NSS DB
pk12util -i mycert.p12 -d /var/mps/serverroot/alias -P slapd-myhost- -v
 
Enable SSL
1. Console.
# From Configuration tab, select Encryption.
# Select Enable SSL for this server
# Select Use this cipher family
# Select Certificate
# Select Do not allow client authentication OR Allow client authentication 
but NOT Require client authentication
# Save and Restart the directory server from command line. You will be prompted 
for Enter PIN for Internal (Software) Token
# For automatic startup of SSL, add NSS DB password to the following file
cd /var/mps/serverroot/alias
vi slapd-myhost-pin.txt
Internal (Software) Token:your-NSSDB-password-here
chmod 400 slapd-myhost-pin.txt
directoryserver stop
directoryserver start
 
Run idsconfig
/usr/lib/ldap/idsconfig
# Assume: Naming Base DN: dc=test,dc=sun,dc=com      Domain: test.sun.com
# When prompted for Authentication Methods, choose atleast one that starts with 
tls:
# Choose appropriate name for the profile (say tls-profile). The default name is 
default.
 
Solaris Native LDAP client side
# Create NSS DB (Don’t enter password. Just hit return)
certutil -N -d /var/ldap
chmod 444 /var/ldap/*
# Download the Test CA certificate on the client machine into a temporary 
location. Ex: /var/tmp/cacert.pem
# Add CA certificate to the NSS DB
certutil -A -n ca-cert -i /var/tmp/cacert.pem -a -t CT -d /var/ldap
# Verify that myhost is fully qualified. Else modify /etc/hosts (and if 
necessary /etc/nssswitch.conf)
getent hosts 11.22.33.44 
11.22.33.44 myhost.test.sun.com
# Test with ldapsearch
ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b 
dc=sun,dc=com -s base objectclass=*
# Initialize Native LDAP client using profile tls-profile.
/usr/sbin/ldapclient init -a profileName=tls-profile -a 
domainname=test.sun.com -a 
proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a proxyPassword=proxy 
11.22.33.44]]>