Exporting The Trusted Root; Authenticating With A Client Certificate; Using Certificate Authorities From Third-Party Providers - Novell EDIRECTORY 8.8 - ADMINISTRATION Manual

13.6.5 Exporting the Trusted Root

You can automatically export the trusted root while accepting the certificate server.
To manually export the trusted root, see
www.novell.com/documentation/lg/crt27/crtadmin/data/a2ebopb.html#a2ebopd).
The Export functionality will create the specified file. Although you can modify the filename, it's a
good idea to leave "DNS" or "IP" in the filename, so that you can recognize the type of material
object. Also leave the servername.
Install the self-assigned CA in all browsers that establish secure LDAP connections to eDirectory.
If you are using the certificate with Microsoft products (for example, Internet Explorer), leave the
.der extension.
If applications or SDKs require the certificate, import it into a certificate database.
Internet Explorer 5 exports root certificates automatically with a registry update. The traditional
.X509 extension used by Microsoft is required.

13.6.6 Authenticating with a Client Certificate

Mutual Authentication requires a TLS session and a client certificate. Both the server and the client
must verify that they are the objects that they claim to be. The client certificate was validated at the
Transport layer. However, at the LDAP protocol layer, the client is anonymous until the client issues
an LDAP bind request.
Up to this point, the client has proven its authenticity to the server but not to LDAP. If a client wants
to authenticate as the identity contained in the client certificate, the client binds by using the SASL
EXTERNAL mechanism.
1 In Novell iManager, click the Roles and Tasks button
2 Click LDAP > LDAP Overview.
3 Click View LDAP Servers, then click the name of an LDAP Server object.
4 Click Connections.
5 In the Transport Layer Security section, select the drop-down menu for Client Certificate, then
select Required.
This enables Mutual Authentication.
6 Click Apply, then click OK.

13.6.7 Using Certificate Authorities from Third-Party Providers

During the eDirectory installation, the LDAP server receives a tree Certificate Authority (CA). The
LDAP Key Material object is based on that CA. Any certificate that a client sends to the LDAP
server must be able to be validated through that tree CA.
LDAP Services for eDirectory 8.8 supports multiple certificate authorities. Novell's tree CA is just
one certificate authority. The LDAP server might have other CAs (for example, from VeriSign*, an
external company.) This additional CA is also a trusted root.
Exporting a Trusted Root or Public Key Certificate (http://
.
Configuring LDAP Services for Novell eDirectory 349