1SLAPO-AUTOCA(5) File Formats Manual SLAPO-AUTOCA(5)
2
6 slapo-autoca - Automatic Certificate Authority overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Automatic CA overlay generates X.509 certificate/key pairs for en‐
13 tries in the directory. The DN of a generated certificate is identical
14 to the DN of the entry containing it. On startup it looks for a CA cer‐
15 tificate and key in the suffix entry of the database which it will use
16 to sign all subsequently generated certificates. A new CA certificate
17 and key will be generated and stored in the suffix entry if none al‐
18 ready exists. The CA certificate is stored in the cACertificate;binary
19 attribute of the suffix entry, and the private key is stored in the
20 cAPrivateKey;binary attribute of the suffix entry. These attributes may
21 be overwritten if some other CA certificate/key pair is desired for
22 use.
23 Certificates for users and servers are generated on demand using a
25 Search request returning only the userCertificate;binary and userPri‐
26 vateKey;binary attributes. Any Search for anything besides exactly
27 these two attributes is ignored by the overlay. Note that these values
28 are stored in ASN.1 DER form in the directory so the ";binary" attri‐
29 bute option is mandatory.
30 Entries that do not belong to selected objectClasses will be ignored by
32 the overlay. By default, entries of objectClass person will be treated
33 as users, and entries of objectClass ipHost will be treated as servers.
34 There are slight differences in the set of X.509V3 certificate exten‐
35 sions added to the certificate between users and servers.
36 The CA's private key is stored in a cAPrivateKey attribute, and user
38 and server private keys are stored in the userPrivateKey attribute. The
39 private key values are encoded in PKCS#8 format. It is essential that
40 access to these attributes be properly secured with ACLs. Both of these
41 attributes inherit from the pKCS8PrivateKey attribute, so it is suffi‐
42 cient to use a single ACL rule like
43 access to attrs=pKCS8PrivateKey by self ssf=128 write
45 at the beginning of the rules.
47 Currently there is no automated management for expiration or revoca‐
49 tion. Obsolete certificates and keys must be manually removed by
50 deleting an entry's userCertificate and userPrivateKey attributes.
51
54 These slapd.conf options apply to the Automatic CA overlay. They
55 should appear after the overlay directive.
56 userClass <objectClass>
58 Specify the objectClass to be treated as user entries.
59 serverClass <objectClass>
61 Specify the objectClass to be treated as server entries.
62 userKeybits <integer>
64 Specify the size of the private key to use for user certifi‐
65 cates. The default is 2048 and the minimum is 512.
66 serverKeybits <integer>
68 Specify the size of the private key to use for server certifi‐
69 cates. The default is 2048 and the minimum is 512.
70 caKeybits <integer>
72 Specify the size of the private key to use for the CA certifi‐
73 cate. The default is 2048 and the minimum is 512.
74 userDays <integer>
76 Specify the duration for a user certificate's validity. The de‐
77 fault is 365, 1 year.
78 serverDays <integer>
80 Specify the duration for a server certificate's validity. The
81 default is 1826, 5 years.
82 caDays <integer>
84 Specify the duration for the CA certificate's validity. The de‐
85 fault is 3652, 10 years.
86 localDN <DN>
88 Specify the DN of an entry that represents this server. Requests
89 to generate a certificate/key pair for this DN will also install
90 the certificate and key into slapd's TLS settings in cn=config
91 for immediate use.
92
95 database mdb
96 ...
97 overlay autoca
98 caKeybits 4096
99
101 /etc/openldap/slapd.conf
102 default slapd configuration file
103
105 slapd.conf(5), slapd-config(5).
106
108 Howard Chu
109OpenLDAP 2.6.6 2023/07/31 SLAPO-AUTOCA(5)