2048-bit SSL certs for ODSEE 11g, entrust certificate upload error. ldap certificate renewal

Starting December 2013, the above mentioned request will not work because Entrust is looking for a 2048 bit request instead of a 1024 bit one. In order to generate a 2048 bit request, use the following procedure

1. Logon to the server as root.
2. it is always recommended to take backup of your cert database.
3. Modify  the following comment depending on your context and paste it at the command line.

 

/apps/dsee7/bin/dsadm request-cert --name aaaaaaaa.utc.com --org orasystems --org-unit COR  -F ascii  --city [Chicago ] --state IL --country US --phone 1234567890 --email first.last@orasystemscom --keysize 2048 -o /tmp/aaaaaaaa_cert_request_file  <ODSEE instance>/dsee7/dsinstances/slapd-Users

 

where

 

1.     name – Server where the certificate is being installed

2.     org  --  Organization.

3.     org-unit  --   Business Unit.

4.     City  --  Server Location City.

5.     State  --  Server Location State.

6.     Country  --  Server Location Country.

7.     Phone  --  Phone No. of the requestor.

8.     Email  --  Email Address of the requestor.

9.     /tmp/aaaaaaaa_cert_request_file   --  The path and name of the certificate file that needs to be created.

10.  /dsee7/dsinstances/slapd-Users  --  The path of the instance for which the certificate is being requested.

 

 

Export Certificate

 

./dsadm export-cert -o /tmp/server-cert-01.cert /dsee7/dsinstances/slapd-Users server-cert

 

Generating Certificate thru command line in 5.2 server

 

- Set keystore password    (idsadmin)

root@devidm:(/iplanet52/servers/shared/bin)#  ./certutil -W -d /iplanet52/servers/alias -P "slapd-"

Enter a password which will be used to encrypt your keys.

The password should be at least 8 characters long,

and should contain at least one non-alphabetic character.

 

Enter new password:

Re-enter password:

 

 

2. Generate CSR for certificate

 

 

root@devidm:(/iplanet52/servers/shared/bin)# ./certutil -R -s "cn=servername,o=orasystems.com,l=hartford,st=CT,c=us" -a -o /tmp/cert-request.csr -d /iplanet52/servers/alias -P "slapd-" -g 2048

 

Enter Password or Pin for "NSS Certificate DB":

 

A random seed must be generated that will be used in the

creation of your key.  One of the easiest ways to create a

random seed is to use the timing of keystrokes on a keyboard.

 

To begin, type keys on the keyboard until this progress meter

is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

 

(I entered numbers 1234567890 continuously until buffer filled)

 

 

Continue typing until the progress meter is full:

 

|************************************************************|

 

Finished.  Press enter to continue:

 

 

Generating key.  This may take a few moments...

 

I entered numbers 1234567890 continuously until buffer filled

 

 

Renewing certificate

 

./certutil -A -n server-cert -d /iplanet52/servers/alias -t "C,C,C" -i /tmp/server-cert.txt -P "slapd-"

 

 

  

Addition commands

Adding/ renewing  certificate thru command prompt.

 

Renewing Certificate.

./dsadm renew-cert /dsee7/dsinstances/slapd-Users/ server-cert /renewed-certificate-path

 

Adding Certificate

./dsadm add-cert /dsee7/dsinstances/slapd-Users/ server-cert / new-certificate-path

 

Listing Certificate.

./dsadm list-certs /dsee7/dsinstances/slapd-Users/

 

Removing Certificate

./dsadm remove-cert /dsee7/dsinstances/slapd-Users/ cert-name

 

Exporting Certificate

 

./dsadm export-cert -W pwd.txt -o /tmp/server-cert-0p.cert /dsee7/dsinstances/slapd-Users server-cert

 

Importing Certificate

Importing certificate(if exporting  from local server and importing it on same or different server)

 

./dsadm import-cert -W replmgpwd.txt  /apps/dsee7/dsinstances/slapd-Users /tmp/server-cert-0p.cert

 

Newly installed instance modification

 

1. If you create new instance then instance certificate need to be updated to use CA Certificate

 

Using command prompt.

 

 

2. ./dsconf set-server-prop -h ds1.idp-example.com
3. -p 1489 ssl-rsa-cert-name:ds1
4.  
5. Enter "cn=Directory Manager" password: dsmanager
6.  
7. Before setting SSL configuration, export Directory Server data.
8.  
9. Do you want to continue [y/n] ?  y
10.  
11. Directory Server must be restarted for changes to take effect.

 

Using GUI. Change Certificate to server-cert(name of server certificate that was received during online request)

Directory Server --> select instance name --> Security -->  select General --> from Certificate select newly installed certificate.