Replacing the LDAPS certificate

The directory server provides its interface to the network on port 636/tcp. This port is protected by TLS encryption and has its own certificate configured.

Replacing the LDAPS certificate

  1. Certificate and key requirements.

  2. Replacing the certificate and key.

  3. Restarting the service iam-directory-server.

  4. Check.

Certificate and key requirements

The certificate and private key requirements are identical to the web proxy certicate requirements. We recommend you use the same certificate as you use for the web proxy.

For LDAPS configurations, save the private key to file ldap.key, separate the server certificate to file ldap.crt and save the rest of the certificate chain to file chain.pem. Prepare and save these files on the appliance filesystem in advance.

Replacing the certificate and key

Lets replace the file. In this example, we assume that new files were uploaded to /root/ldap-certificates.

  1. Change directory to /data/volumes/directory-server/secrets-certs/ and create a backup of original files.

    [root@localhost ~]# cd /data/volumes/directory-server/secrets-certs/
[root@localhost secrets-certs]# cp chain.pem chain.pem.orig
[root@localhost secrets-certs]# cp ldap.crt ldap.crt.orig
[root@localhost secrets-certs]# cp ldap.key ldap.key.orig

  2. Deploy new certificate, key and chain in this directory.

    [root@localhost secrets-certs]# cp /root/ldap-certificates/ldap.key ./
cp: overwrite './ldap.key'? y
[root@localhost secrets-certs]# cp /root/ldap-certificates/ldap.crt ./
cp: overwrite './ldap.crt'? y
[root@localhost secrets-certs]# cp /root/ldap-certificates/chain.pem ./
cp: overwrite './chain.pem'? y

Restarting the service iam-directory-server

Restart the service.

[root@localhost ~]# systemctl restart iam-directory-server

Check

By accessing port 636/tcp, check that LDAP server is presenting itself with a new certificate. You can use openssl or a GUI client like Apache Directory Studio to test the certificate.