FreeBSD Manual Pages
SLAPO-AUTOCA(5) File Formats Manual SLAPO-AUTOCA(5) NAME slapo-autoca - Automatic Certificate Authority overlay to slapd SYNOPSIS /usr/local/etc/openldap/slapd.conf DESCRIPTION The Automatic CA overlay generates X.509 certificate/key pairs for en- tries in the directory. The DN of a generated certificate is identical to the DN of the entry containing it. On startup it looks for a CA cer- tificate and key in the suffix entry of the database which it will use to sign all subsequently generated certificates. A new CA certificate and key will be generated and stored in the suffix entry if none al- ready exists. The CA certificate is stored in the cACertificate;binary attribute of the suffix entry, and the private key is stored in the cAPrivateKey;binary attribute of the suffix entry. These attributes may be overwritten if some other CA certificate/key pair is desired for use. Certificates for users and servers are generated on demand using a Search request returning only the userCertificate;binary and userPri- vateKey;binary attributes. Any Search for anything besides exactly these two attributes is ignored by the overlay. Note that these values are stored in ASN.1 DER form in the directory so the ";binary" at- tribute option is mandatory. Entries that do not belong to selected objectClasses will be ignored by the overlay. By default, entries of objectClass person will be treated as users, and entries of objectClass ipHost will be treated as servers. There are slight differences in the set of X.509V3 certificate exten- sions added to the certificate between users and servers. The CA's private key is stored in a cAPrivateKey attribute, and user and server private keys are stored in the userPrivateKey attribute. The private key values are encoded in PKCS#8 format. It is essential that access to these attributes be properly secured with ACLs. Both of these attributes inherit from the pKCS8PrivateKey attribute, so it is suffi- cient to use a single ACL rule like access to attrs=pKCS8PrivateKey by self ssf=128 write at the beginning of the rules. Currently there is no automated management for expiration or revoca- tion. Obsolete certificates and keys must be manually removed by deleting an entry's userCertificate and userPrivateKey attributes. CONFIGURATION These slapd.conf options apply to the Automatic CA overlay. They should appear after the overlay directive. userClass <objectClass> Specify the objectClass to be treated as user entries. serverClass <objectClass> Specify the objectClass to be treated as server entries. userKeybits <integer> Specify the size of the private key to use for user certifi- cates. The default is 2048 and the minimum is 512. serverKeybits <integer> Specify the size of the private key to use for server certifi- cates. The default is 2048 and the minimum is 512. caKeybits <integer> Specify the size of the private key to use for the CA certifi- cate. The default is 2048 and the minimum is 512. userDays <integer> Specify the duration for a user certificate's validity. The de- fault is 365, 1 year. serverDays <integer> Specify the duration for a server certificate's validity. The default is 1826, 5 years. caDays <integer> Specify the duration for the CA certificate's validity. The de- fault is 3652, 10 years. localDN <DN> Specify the DN of an entry that represents this server. Requests to generate a certificate/key pair for this DN will also install the certificate and key into slapd's TLS settings in cn=config for immediate use. EXAMPLES database mdb ... overlay autoca caKeybits 4096 FILES /usr/local/etc/openldap/slapd.conf default slapd configuration file SEE ALSO slapd.conf(5), slapd-config(5). AUTHOR Howard Chu OpenLDAP 2.6.9 2024/11/26 SLAPO-AUTOCA(5)
NAME | SYNOPSIS | DESCRIPTION | CONFIGURATION | EXAMPLES | FILES | SEE ALSO | AUTHOR
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=slapo-autoca&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>