发表新帖
发表新帖

How to save the LDAP SSL Certificate from OpenSSL

后端 未结
关注
7 685
刺人心
刺人心 2020-12-07 16:32

I wanted the SSL Certificate of my LDAP Server which is Novell eDirectory. I have used openssl to connect to ldap to view the certificate. 

openssl s_client
相关标签:
7条回答
  • 灰色年华
    2020-12-07 16:58

    There is a pretty simple way using only openssl:

    openssl s_client -connect 192.168.1.225:636 < /dev/null |
  openssl x509 -out cert.pem

    The first line fetches the cert from server and the second line parses the cert and allows transforming it into different formats, for example:

    • openssl x509 -noout -text: prints certificate in text format, e.g., for debugging.
    • openssl x509 -outform der -out cert.crt: saves cert in DER format

    You can checkout docs for all possible variations.

    0 讨论(0)
  • 臣服心动
    2020-12-07 17:03

    We liked using ldapsearch for performing this. The whole process, a few lines, but this is the gist of it:

    ldapsearch -x -T ~/ -t -h your-edirectory-host.yourdomain.com -b "cn=Security" objectclass=nDSPKICertificateAuthority cACertificate

    -jim

    0 讨论(0)
  • 余生分开走
    2020-12-07 17:10

    Or you can easily export the public and private key via iManager if you need them in either DER or PEM format. (DER is a binary format, PEM is a base64 encoded format, so in iManager, your choices will be DER or B64 and B64 ~= PEM in this context)

    0 讨论(0)
  • 無奈伤痛
    2020-12-07 17:16

    There is a tool that lets you collect and save an SSL/TLS certificate from a server that speaks not only LDAPS, but LDAP/STARTTLS too. That's a revision of the well-known InstallCert program, written in Java.

    Just run it like this:

    java -jar installcert-usn-20131123.jar host_name:port

    and it will save the certificate for you in the jssecacerts keystore file in your JRE file tree, and also in the extracerts keystore file in your current directory. You can then use Java keytool to export the certificate(s) to other formats.

    You are welcome to visit my blog page Yet another InstallCert for Java, now with STARTTLS support for download and instructions.

    0 讨论(0)
  • 囚心锁ツ
    2020-12-07 17:16

    The easiest way i found to save a certificate from any SSL enabled protocols like ldap, imap, pop, ftps, https etc. is just using chrome browser. Assume if your server running any protocol (like mentioned) create the url like this

    http://: (example if your ldap server is running on SSL port 10636 it would be https://example.com:10636). Simply just hit this URL and obtain the certificate from the chrome browser itself. A simple demo below. In this demo my ldap server is using a self-signed certificate.

    Click on copy to file and save the certificate by clicking next.

    This method works for any server running on SSL irrespective of protocol.

    Cheers.

    0 讨论(0)
  • 难免孤独
    2020-12-07 17:19

    Copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (including these delimiters) and paste it in a new text file (usually with the extension .pem or .crt). You can use your favourite (plain) text editor for this, for example Notepad, Gedit, Vim, Emacs (depending on the system you're using).

    Alternatively, you can pipe the output to sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p', as described here:

    echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
    0 讨论(0)
 看不清?
提交回复
热议问题