OpenLDAP can use Mozilla NSS as the TLS/SSL implementation. If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way. The goal is that you will not be able to tell you are using OpenLDAP with Mozilla NSS because it will work exactly the same as OpenLDAP with OpenSSL.
For general information about using TLS/SSL with OpenLDAP see
http://www.openldap.org/faq/index.cgi?file=185For information about building OpenLDAP with Mozilla NSS see
http://www.openldap.org/faq/index.cgi?file=196To use a Mozilla certificate/key database, specify the directory path in the CA Certificate directory directive. For example, in ldap.conf or .ldaprc, use TLS_CACERTDIR /path/to/cert/key/db/ In the slapd.conf, use TLSCACertificatePath. In cn=config, use olcTLSCACertificatePath. If the path contains both OpenSSL formatted CA cert hash symlinks/files _and_ an NSS cert/key database, OpenLDAP will use the NSS cert/key database and ignore the CA files.
To use a specific certificate in a cert/key database, specify the certificate name in the Cert or CertFile directive: ldap.conf or .ldaprc -> TLS_CERT, slapd.conf -> TLSCertificateFile, cn=config -> olcTLSCertificateFile. If the cert is on a token other than the builtin internal NSS software token, specify the token name first, followed by a colon (:). For example:
TLS_CERT my token name:My Cert Name
The keyfile directive (TLS_KEY, etc.) can be used to specify the name of the file containing the password/pin for the key. See below to use modutil or certutil to disable password protection for the key database.
NSS provides command line utilities for managing the key/cert database. The most commonly used ones are certutil, pk12util, and modutil. Use -H or --help to get usage for these commands.Common tasks are:
List certs by name:
certutil -d /path/to/certdb -L
Print detailed cert info:
certutil -d /path/to/certdb -L 'name of cert'
Export cert to PEM (ASCII):
certutil -d /path/to/certdb -L 'name of cert' -a > /path/to/filename.pem
Add a CA certificate for a TLS/SSL issuer CA from a PEM (ASCII) file:
certutil -d /path/to/certdb -A -n 'name of CA cert' -t CT,, -a -i /path/to/cacert.pem
Add a certificate and private key from a PKCS12 file:
pk12util -d /path/to/certdb -i /path/to/file.p12
You will have to provide the password used to encrypt the .p12 file and the password for the key database. Press 'Enter' if no password.
You cannot export a raw private key or key file from a Mozilla NSS key database. You must first export the key with the cert in a PKCS12 file. You can then use the openssl pkcs12 command to extract the private key:
pk12util -d /path/to/certdb -o /path/to/myfile.p12 -n 'My Cert Name'
Press 'Enter' when prompted for the password to disable password protection of the p12 file.
openssl pkcs12 -in /path/to/myfile.p12 -out /path/to/file.pem -nodes
to extract the cert and key from the .p12 file and write them to file.pem unencrypted.
When using private keys with OpenLDAP, it is useful to disable password protection of the key database. This will eliminate the need to provide a password/pin on the command line or via a pin file:
modutil -dbdir /path/to/certdb -changepw 'NSS Certificate DB'
You must have the old password to perform this operation. Ignore the browser WARNING. Press 'Enter' for the new password to have no password at all. Newer versions of certutil can do this too:
certutil -d /path/to/certdb -W
Using Builtin Root Certs: NSS comes with a list of root CA certificates. These are contained in the shared library file libnssckbi.so (filename and extension may vary depending on your operating system). For example, if you have NSS installed in /usr/lib64 and your key/cert db is in ~/.moznss:
cd ~/.moznss ln -s /usr/lib64/libnssckbi.so modutil -dbdir ~/.moznss -list
will show the Root Certs module. Newer versions of certutil can do this too:
certutil -d ~/.moznss -U
to see all certs in both the internal cert db and the root certs db:
certutil -d ~/.moznss -L -h all
to print out certificate details on a CA cert in the root certs db:
certutil -d ~/.moznss -L -n 'Builtin Object Token:NAME OF CERT'