1SLAPO-AUTOCA(5)               File Formats Manual              SLAPO-AUTOCA(5)
2
3
4

NAME

6       slapo-autoca - Automatic Certificate Authority overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  Automatic CA overlay generates X.509 certificate/key pairs for en‐
13       tries in the directory. The DN of a generated certificate is  identical
14       to the DN of the entry containing it. On startup it looks for a CA cer‐
15       tificate and key in the suffix entry of the database which it will  use
16       to  sign  all subsequently generated certificates. A new CA certificate
17       and key will be generated and stored in the suffix entry  if  none  al‐
18       ready  exists. The CA certificate is stored in the cACertificate;binary
19       attribute of the suffix entry, and the private key  is  stored  in  the
20       cAPrivateKey;binary attribute of the suffix entry. These attributes may
21       be overwritten if some other CA certificate/key  pair  is  desired  for
22       use.
23
24       Certificates  for  users  and  servers  are generated on demand using a
25       Search request returning only the userCertificate;binary  and  userPri‐
26       vateKey;binary  attributes.  Any  Search  for  anything besides exactly
27       these two attributes is ignored by the overlay. Note that these  values
28       are  stored  in ASN.1 DER form in the directory so the ";binary" attri‐
29       bute option is mandatory.
30
31       Entries that do not belong to selected objectClasses will be ignored by
32       the  overlay. By default, entries of objectClass person will be treated
33       as users, and entries of objectClass ipHost will be treated as servers.
34       There  are  slight differences in the set of X.509V3 certificate exten‐
35       sions added to the certificate between users and servers.
36
37       The CA's private key is stored in a cAPrivateKey  attribute,  and  user
38       and server private keys are stored in the userPrivateKey attribute. The
39       private key values are encoded in PKCS#8 format.  It is essential  that
40       access to these attributes be properly secured with ACLs. Both of these
41       attributes inherit from the pKCS8PrivateKey attribute, so it is  suffi‐
42       cient to use a single ACL rule like
43
44               access to attrs=pKCS8PrivateKey by self ssf=128 write
45
46       at the beginning of the rules.
47
48       Currently  there  is  no automated management for expiration or revoca‐
49       tion.  Obsolete certificates and  keys  must  be  manually  removed  by
50       deleting an entry's userCertificate and userPrivateKey attributes.
51
52

CONFIGURATION

54       These  slapd.conf  options  apply  to  the  Automatic CA overlay.  They
55       should appear after the overlay directive.
56
57       userClass <objectClass>
58              Specify the objectClass to be treated as user entries.
59
60       serverClass <objectClass>
61              Specify the objectClass to be treated as server entries.
62
63       userKeybits <integer>
64              Specify the size of the private key to  use  for  user  certifi‐
65              cates.  The default is 2048 and the minimum is 512.
66
67       serverKeybits <integer>
68              Specify  the  size of the private key to use for server certifi‐
69              cates.  The default is 2048 and the minimum is 512.
70
71       caKeybits <integer>
72              Specify the size of the private key to use for the  CA  certifi‐
73              cate.  The default is 2048 and the minimum is 512.
74
75       userDays <integer>
76              Specify the duration for a user certificate's validity.  The de‐
77              fault is 365, 1 year.
78
79       serverDays <integer>
80              Specify the duration for a server certificate's  validity.   The
81              default is 1826, 5 years.
82
83       caDays <integer>
84              Specify the duration for the CA certificate's validity.  The de‐
85              fault is 3652, 10 years.
86
87       localDN <DN>
88              Specify the DN of an entry that represents this server. Requests
89              to generate a certificate/key pair for this DN will also install
90              the certificate and key into slapd's TLS settings  in  cn=config
91              for immediate use.
92
93

EXAMPLES

95         database mdb
96         ...
97         overlay autoca
98         caKeybits 4096
99

FILES

101       /etc/openldap/slapd.conf
102              default slapd configuration file
103

SEE ALSO

105       slapd.conf(5), slapd-config(5).
106

AUTHOR

108       Howard Chu
109
110
111
112OpenLDAP 2.6.2                    2022/05/04                   SLAPO-AUTOCA(5)
Impressum