6443N/A<?
xml version="1.0" encoding="UTF-8"?>
6443N/A ! This work is licensed under the Creative Commons 6443N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 6443N/A ! To view a copy of this license, visit 6443N/A ! or send a letter to Creative Commons, 444 Castro Street, 6443N/A ! Suite 900, Mountain View, California, 94041, USA. 6443N/A ! You can also obtain a copy of the license at 6443N/A ! See the License for the specific language governing permissions 6443N/A ! and limitations under the License. 6443N/A ! If applicable, add the following below this CCPL HEADER, with the fields 6443N/A ! enclosed by brackets "[]" replaced with your own identifying information: 6443N/A ! Portions Copyright [yyyy] [name of copyright owner] 7097N/A ! Copyright 2013-2014 ForgeRock AS 6443N/A<
chapter xml:
id='chap-change-certs' 6443N/A <
title>Changing Server Certificates</
title>
6443N/A <
indexterm><
primary>Certificates</
primary></
indexterm>
6443N/A <
para>OpenDJ uses key stores (for private keys) and trust stores (for
6443N/A public, signed certificates). Up to three sets of key stores are used,
6443N/A as shown in the following illustration.</
para>
6443N/A <
mediaobject xml:
id="figure-keystores">
6443N/A <
caption><
para>OpenDJ uses different sets of public and private keys for
6443N/A different secure connections.</
para></
caption>
6443N/A <
para>By default the key stores are located in the
6443N/A <
para>The <
filename>keystore</
filename> and <
filename>truststore</
filename>
6443N/A hold keys for securing connections with client applications.</
para>
6443N/A <
para>The <
filename>admin-keystore</
filename> and
6443N/A <
filename>admin-truststore</
filename> hold keys for securing administrative
6443N/A connections, such as those used when connecting with the
6443N/A <
command>dsconfig</
command> command.</
para>
6443N/A <
para>The <
filename>ads-truststore</
filename> holds keys for securing
6443N/A replication connections with other OpenDJ servers in the replication
6443N/A <
para>Each key store has a specific purpose.</
para>
6443N/A <
term><
filename>admin-keystore</
filename></
term>
6443N/A <
para>This Java Key Store holds the private key and administrative
6443N/A certificate for the server, <
literal>admin-cert</
literal>. This key pair
6443N/A is used to protect communications on the administration port. The password,
6443N/A for <
literal>admin-cert</
literal>.</
para>
6443N/A <
term><
filename>admin-truststore</
filename></
term>
6443N/A <
para>This Java Key Store holds a copy of the administrative certificate,
6443N/A <
literal>admin-cert</
literal>. The password is the same as for the
6443N/A <
filename>admin-keystore</
filename>, in other words the string in
6443N/A <
term><
filename>ads-truststore</
filename></
term>
6443N/A <
para>This Java Key Store holds public key certificates of all servers
6443N/A replicating with the current server. It also includes the
6443N/A <
literal>ads-certificate</
literal> key pair of the current server.
6443N/A <
para>Do not change this key store directly.</
para>
6443N/A <
term><
filename>keystore</
filename></
term>
6443N/A <
para>This Java Key Store holds the private key and server certificate,
6443N/A <
literal>server-cert</
literal>, used to protect
TLS/
SSL communications
6443N/A with client applications. The password, stored in
6443N/A <
literal>server-cert</
literal>.</
para>
6443N/A <
term><
filename>truststore</
filename></
term>
6443N/A <
para>This Java Key Store holds a copy of the <
literal>server-cert</
literal>
6443N/A certificate from the <
filename>keystore</
filename>. This is also where you
6443N/A import certificates of client applications if you want OpenDJ to recognize
6443N/A them. The password is the same as for the <
filename>keystore</
filename>,
6443N/A <
para>Examples in this chapter use self-signed certificates, but you can
6443N/A also use certificates signed by a Certificate Authority (CA).</
para>
6443N/A <
para>When importing a certificate (<
command>keytool -import</
command>)
6443N/A signed by a well-known CA, use the <
option>-trustcacerts</
option> option
6443N/A to trust the CA certificates delivered with the Java runtime
6443N/A <
procedure xml:
id="replace-key-pair">
6443N/A <
title>To Replace a Server Key Pair</
title>
6443N/A <
para>This procedure shows how to replace a server key pair in the
6443N/A <
filename>admin-keystore</
filename> and copy of the administrative certificate
6443N/A in <
filename>admin-truststore</
filename>.</
para>
6443N/A <
para>The examples also apply when replacing a key pair in the
6443N/A <
filename>keystore</
filename> and copy of the server certificate in
6443N/A <
filename>truststore</
filename>. Just adapt the commands to use the correct
6443N/A key store, trust store, and PIN file names.</
para>
6443N/A <
para>This procedure does not apply for replication key pairs. Instead, see
6443N/A <
xref linkend="replace-ads-cert" />.</
para>
6443N/A <
para>Check the alias of the key pair and certificate copy to replace.</
para>
7097N/A<
computeroutput>Keystore type: JKS
6443N/AYour keystore contains 1 entry
6443N/Aadmin-cert, Mar 15, 2013, PrivateKeyEntry,
7097N/ACertificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</
computeroutput>
7097N/A<
computeroutput>Keystore type: JKS
6443N/AYour keystore contains 1 entry
6443N/Aadmin-cert, Mar 15, 2013, trustedCertEntry,
7097N/ACertificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</
computeroutput>
6443N/A <
para>This alias is also stored in the server configuration.</
para>
6443N/A <
para>Remove the key pair and certificate copy to replace.</
para>
7097N/A -keystore admin-truststore \
6443N/A <
para>Generate a new key pair in the key store.</
para>
6443N/A <
para>Notice that the <
option>-alias</
option> option takes the same alias
6443N/A as before. This is because the <
literal>ssl-cert-nickname</
literal> for
6443N/A the Administration Connector is configured as <
literal>admin-cert</
literal>.
6443N/A Also, the <
option>-dname</
option> option has a CN value corresponding to the
6443N/A fully-qualified domain name of the host where OpenDJ directory server is
6443N/A <
para>Get the new key pair's certificate signed, using one of the following
6443N/A <
para>Self-sign the certificate.</
para>
6443N/A <
para>Create a certificate signing request, have it signed by a CA, and
6443N/A import the signed certificate from the CA reply.</
para>
6443N/A <
para>For examples of the <
command>keytool</
command> commands to use, see
6443N/A the procedure <
link xlink:
href="admin-guide#new-ca-signed-cert" 6443N/A Install a CA-Signed Certificate</
citetitle></
link>.</
para>
6443N/A <
para>Export a copy of the certificate from the key store.</
para>
6443N/A <
para>Import the copy of the certificate into the trust store.</
para>
7097N/A -keystore admin-truststore \
6443N/AValid from: Fri Mar 15 15:15:20 CET 2013 until: Thu Jun 13 16:15:20 CEST 2013
7097N/A MD5: DD:2A:A1:3A:39:87:DF:02:15:A4:8A:9D:77:89:F1:E4
7097N/A SHA1: E1:99:82:92:D7:9B:28:B7:93:D2:B5:5B:C9:DA:4E:D2:62:C2:E7:B0
7097N/A SHA256: C5:34:9C:04:E2:87:A9:B1:72:B5:...:99:86:3A:02:28:D0:AB:02:5F:F4:BE
7097N/A Signature algorithm name: SHA256withRSA
7148N/A#1: ObjectId: 2.5.29.17 Criticality=false
7148N/A#2: ObjectId: 2.5.29.14 Criticality=false
7097N/ATrust this certificate? [no]:</
computeroutput> <
userinput>yes</
userinput>
7097N/A<
computeroutput>Certificate was added to keystore</
computeroutput>
6443N/A <
para>Restart OpenDJ to make sure it reloads the key stores.</
para>
7097N/A$ <
userinput>stop-ds --restart</
userinput>
6443N/A <
para>If you have client applications trusting the self-signed certificate,
6443N/A <
procedure xml:
id="replace-ads-cert">
6443N/A <
title>To Replace the Key Pair Used for Replication</
title>
6443N/A <
para>Follow these steps to replace the key pair that is used to
6443N/A secure replication connections.</
para>
6443N/A <
para>Generate a new key pair for the server.</
para>
6443N/A <
para>The changes you perform are replicated across the topology.</
para>
6443N/A <
para>OpenDJ has an <
literal>ads-certificate</
literal> and private
6443N/A key, which is a local copy of the key pair used to secure replication
6443N/A <
para>To generate the new key pair, you remove the
6443N/A <
literal>ads-certificate</
literal> key pair, prompt OpenDJ to
6443N/A generate a new <
literal>ads-certificate</
literal> key pair, and
6443N/A then add a copy to the administrative data using the MD5 fingerprint
6443N/A of the certificate to define the RDN.</
para>
6443N/A <
para>Delete the <
literal>ads-certificate</
literal> entry.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --bindPassword password</
userinput>
7097N/A<
computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
6443N/AProcessing DELETE request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
6443N/ADELETE operation successful for DN ds-cfg-key-id=ads-certificate,
7097N/A cn=ads-truststore</
computeroutput>
6443N/A <
para>Prompt OpenDJ to generate a new, self-signed
6443N/A <
literal>ads-certificate</
literal> key pair.</
para>
6443N/A <
para>You do this by adding an <
literal>ads-certificate</
literal> entry
6443N/A with object class <
literal>ds-cfg-self-signed-cert-request</
literal>.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --bindPassword password</
userinput>
7097N/A<
computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
6443N/Aobjectclass: ds-cfg-self-signed-cert-request
6443N/AProcessing ADD request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
7097N/AADD operation successful for DN ds-cfg-key-id=ads-certificate,cn=ads-truststore</
computeroutput>
6443N/A <
para>Retrieve the <
literal>ads-certificate</
literal> entry.</
para>
7097N/A --baseDN cn=ads-truststore \
7097N/A "(ds-cfg-key-id=ads-certificate)"</
userinput>
7097N/A<
computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
6443N/Ads-cfg-key-id: ads-certificate
6443N/Ads-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
6443N/A QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
6443N/A LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
6443N/A 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
6443N/A GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
6443N/A srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
7097N/AobjectClass: ds-cfg-instance-key</
computeroutput>
6443N/A <
para>Retrieve the MD5 fingerprint of the
6443N/A <
literal>ads-certificate</
literal>.</
para>
6443N/A <
para>In this example, the MD5 fingerprint is
6443N/A <
literal>07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C</
literal>.</
para>
7097N/A<
computeroutput>Alias name: ads-certificate
6443N/AValid from: Thu Feb 07 11:30:33 CET 2013 until: Wed Feb 02 11:30:33 CET 2033
7097N/A MD5: 07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C
7097N/A SHA1: 56:30:F6:79:AA:C0:BD:61:88:3E:FB:38:38:9D:84:70:0B:E4:43:57
7097N/A SHA256: A8:4B:81:EE:30:2A:0C:09:2E:...:C1:41:F5:AB:19:C6:EE:AB:50:64
7097N/A Signature algorithm name: SHA1withRSA
7097N/A Version: 3</
computeroutput>
6443N/A <
para>Using the MD5 fingerprint and the certificate entry, prepare LDIF
6443N/A to update <
literal>cn=admin data</
literal> with the new server
7097N/A<
computeroutput>dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys,
6443N/Ads-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
6443N/Ads-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
6443N/A QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
6443N/A LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
6443N/A 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
6443N/A GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
6443N/A srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
6443N/AobjectClass: ds-cfg-instance-key
6443N/Ads-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
6443N/A <
para>Update the administrative data, causing OpenDJ to create a
6443N/A copy of the new <
literal>ads-certificate</
literal> with its MD5 signature
6443N/A as the alias in the <
filename>ads-truststore</
filename>.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing ADD request for ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
6443N/A cn=instance keys,cn=admin data
6443N/AADD operation successful for DN ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
6443N/A cn=instance keys,cn=admin data
7097N/A cn=admin data</
computeroutput>
6443N/A <
para>Force OpenDJ to reopen replication connections using the new key
6443N/A <
para>Stop replication temporarily and then start it again as described
6443N/A in the <
citetitle>Administration Guide</
citetitle> section on <
link 7097N/A xlink:
href="admin-guide#configure-repl" 6443N/A ><
citetitle>Configuring Replication</
citetitle></
link>.</
para>
7097N/A set-synchronization-provider-prop \
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --provider-name "Multimaster Synchronization" \
7097N/A set-synchronization-provider-prop \
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --provider-name "Multimaster Synchronization" \