stackoom
  简体   繁体   中英

How do I get the SSL certificate for an LDAP server using StartTLS?

 原文  2013-09-16 17:04:20       java/ ssl/ ldap

Question

I am trying to configure my application to access an LDAP server that is listening only on port 389 using the StartTLS extension for security. I want to get a copy of the SSL certificate so I can specify it as a known certificate (in a jssecacerts file, since my application is written in Java).

If it was running on port 636, I would use openssl like so: 

openssl s_client -host myhost -port 636

and grab the certificate from the output.

My first though was to try using: 

openssl s_client -host myhost -port 389 -starttls ...

but that doesn't support the LDAP version of starttls.

Then, I tried using ldapsearch with a high debug level: 

ldapsearch -ZZ -h myhost -d99 ...

and I could see that the over-the-wire data includes the certificate, but it's not in a form that I know how to use.

Is there an easy way to get the certificate, either through command line tools or a short program? (I don't particularly care which language, but Java would be ideal)

3 answers

solution1
 1 ACCPTED  2013-11-28 06:33:13

A new revision of the well-known InstallCert program now supports STARTTLS for several protocols, LDAP included.

Just run it like this: 

java -jar installcert-usn-20131123.jar host_name:389

and it will save the certificate for you in the jssecacerts keystore file in your JRE file tree, and also in the extracerts keystore file in your current directory. You can then use Java keytool to export the certificate(s) to other formats.

You are welcome to visit my blog page Yet another InstallCert for Java, now with STARTTLS support for download and instructions.

solution2
 0  2013-09-17 01:25:43

  1. Do a connect as described in the Javadoc , using the sample code at the top.

  2. That gives you the SSLSession, from which you can get the peer certificate chain, from which you can get the X509Certificate of the peer as element zero.

  3. Then save that wherever you need to, using Certificate.getEncoded() to get the certificate as a byte[] array. Or you could add it directly to a new or old KeyStore object and save that.

solution3
 0  2013-09-17 10:49:03

We have documented some of the different methods .

And yes, openSSL last time I looked STILL does not have the ability to use the LDAP ptotocol for starttls option. It should be like: 

openssl s_client -connect remote.host:25 -starttls LDAP

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Disabling SSL Certificate Validation for Active Directory server using spring-ldap 1.3.1 How do I retrieve an untrusted SSL server certificate in order to review and trust it? how to get ldap certificate bypass the mutual certification using Java using Java-Metro, from server side, how to get ssl client certificate details? How are SSL certificate server names resolved/Can I add alternative names using keytool? How do I import my VPS SSL certificate into my jetty keystore using keytools? How do I use a Maven 2 repository protected using SSL and a wildcard/self-signed certificate? How do I accept an expired ssl certificate with Apache client? How do I use an SSL client certificate with jersey client in java How do I use an SSL client certificate with Apache HttpClient?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM