1

I'm using OpenDS as a LDAP server. Is it possible to store SSL certificates for several applications (Tomcat/Apache Webserver etc.) in LDAP?

I think "userCertificate" wouldn't be the right choice. Could this be handled by an extension?

Thanks in advance. Regards, Daniel

Daniel
  • 67
  • 8
  • Follow up: https://stackoverflow.com/questions/33414640/how-to-store-keystore-using-userpkcs12-in-ldap – ceving Dec 06 '19 at 10:40

1 Answers1

2

It depends on the purpose.

  • userCertificate is for certificates
  • userPKCS12 is for PKCS12 keystores including key-pairs, certificates, and signer chains.

One object class that includes them both is inetOrgPerson.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Alright. If I have this entry `dn: cn=Tomcat,ou=ApplicationContext,dc=example,dc=com objectClass: top objectClass: applicationEntity supportedApplicationContext: Java presentationAddress: /opt/Tomcat cn: Tomcat` I just have to add: `userCertificate: certificate information` Right? – Daniel Oct 27 '15 at 11:35
  • Right if `applicationEntity` supports that attribute. Otherwise you'll have to use an object class that does, or add a mix-in object class to this entry that supports `userCertificate' l I found one yesterday but I can't remember what it is. I don't see why you would want to store certificates with Tomcat but not keys. – user207421 Oct 27 '15 at 20:08
  • Just to add the name of the auxiliary class that contains the `userCertificate attribute is `pkiUser`. – Zoran Regvart Oct 27 '15 at 21:44
  • @ZoranRegvart Thanks. – user207421 Oct 27 '15 at 21:46
  • Thanks @EJP and @ZoranRegvart for your helpful answers. During installation of Tomcat (using a shell script) the keystore is generated automatically. I just want to store the certificate because I want other tomcats to query LDAP for this certificate and then importing it to **their** truststore. `applicationEntity` doesn't have the certificate attribute but maybe I will just add a new object class with all attributes of `applicationEntity` and the `userCertificate` attribute – Daniel Oct 28 '15 at 08:52