наложение автоматического центра сертификации на slapd (Automatic Certificate Authority overlay to slapd)
Имя (Name)
slapo-autoca - Automatic Certificate Authority overlay to slapd
Синопсис (Synopsis)
ETCDIR/slapd.conf
Описание (Description)
The Automatic CA overlay generates X.509 certificate/key pairs
for entries in the directory. The DN of a generated certificate
is identical to the DN of the entry containing it. On startup it
looks for a CA certificate and key in the suffix entry of the
database which it will use to sign all subsequently generated
certificates. A new CA certificate and key will be generated and
stored in the suffix entry if none already exists. The CA
certificate is stored in the cACertificate;binary attribute of
the suffix entry, and the private key is stored in the
cAPrivateKey;binary attribute of the suffix entry. These
attributes may be overwritten if some other CA certificate/key
pair is desired for use.
Certificates for users and servers are generated on demand using
a Search request returning only the userCertificate;binary and
userPrivateKey;binary attributes. Any Search for anything besides
exactly these two attributes is ignored by the overlay. Note that
these values are stored in ASN.1 DER form in the directory so the
";binary" attribute option is mandatory.
Entries that do not belong to selected objectClasses will be
ignored by the overlay. By default, entries of objectClass person
will be treated as users, and entries of objectClass ipHost will
be treated as servers. There are slight differences in the set of
X.509V3 certificate extensions added to the certificate between
users and servers.
The CA's private key is stored in a cAPrivateKey attribute, and
user and server private keys are stored in the userPrivateKey
attribute. The private key values are encoded in PKCS#8 format.
It is essential that access to these attributes be properly
secured with ACLs. Both of these attributes inherit from the
pKCS8PrivateKey attribute, so it is sufficient to use a single
ACL rule like
access to attrs=pKCS8PrivateKey by self ssf=128 write
at the beginning of the rules.
Currently there is no automated management for expiration or
revocation. Obsolete certificates and keys must be manually
removed by deleting an entry's userCertificate and userPrivateKey
attributes.
Конфигурация (Configuration)
These slapd.conf options apply to the Automatic CA overlay. They
should appear after the overlay directive.
userClass <objectClass>
Specify the objectClass to be treated as user entries.
serverClass <objectClass>
Specify the objectClass to be treated as server entries.
userKeybits <integer>
Specify the size of the private key to use for user
certificates. The default is 2048 and the minimum is 512.
serverKeybits <integer>
Specify the size of the private key to use for server
certificates. The default is 2048 and the minimum is 512.
caKeybits <integer>
Specify the size of the private key to use for the CA
certificate. The default is 2048 and the minimum is 512.
userDays <integer>
Specify the duration for a user certificate's validity.
The default is 365, 1 year.
serverDays <integer>
Specify the duration for a server certificate's validity.
The default is 1826, 5 years.
caDays <integer>
Specify the duration for the CA certificate's validity.
The default is 3652, 10 years.
localDN <DN>
Specify the DN of an entry that represents this server.
Requests to generate a certificate/key pair for this DN
will also install the certificate and key into slapd's TLS
settings in cn=config for immediate use.
Примеры (Examples)
database mdb
...
overlay autoca
caKeybits 4096
Файлы (Files)
ETCDIR/slapd.conf
default slapd configuration file
Смотри также (See also)
slapd.conf(5), slapd-config(5).
