Configuring The Client For Tls; Exporting The Trusted Root; Authenticating With A Client Certificate - Novell EDIRECTORY 8.8 SP2 - ADMINISTRATION Manual

After you reconfigure the LDAP server, refresh the server. See
Server," on page

14.6.4 Configuring the Client for TLS

An LDAP client is an application (for example, Netscape Communicator, Internet Explorer, or ICE).
The client must understand the certificate authority that LDAP server uses.
When a server is added into an eDirectory tree, by default the installation creates
The LDAP server uses this certificate provider.
The client needs to import a certificate that the client will trust so that the client can validate the tree
CA that the LDAP server claims to be using. The client must import a certificate from the server so
that whenever the server sends its certificate, the client can validate it and verify that the server is
who it claims to be.
So that the client can get a secure connection, the client must be configured before the connection.
The way that the client imports the certificate differs, based on the kind of application being used.
Each application must have a method to import a certificate. Netscape browser has one way, IE has
another way, and ICE has a third way. These are three different LDAP clients. Each client has its
method for locating the certificates that it trusts.

14.6.5 Exporting the Trusted Root

You can automatically export the trusted root while accepting the certificate server.
To manually export the trusted root, see
www.novell.com/documentation/lg/crt27/crtadmin/data/a2ebopb.html#a2ebopd).
The Export functionality will create the specified file. Although you can modify the filename, it's a
good idea to leave "DNS" or "IP" in the filename, so that you can recognize the type of material
object. Also leave the servername.
Install the self-assigned CA in all browsers that establish secure LDAP connections to eDirectory.
If you are using the certificate with Microsoft products (for example, Internet Explorer), leave the
.der extension.
If applications or SDKs require the certificate, import it into a certificate database.
Internet Explorer 5 exports root certificates automatically with a registry update. The traditional
.X509 extension used by Microsoft is required.

14.6.6 Authenticating with a Client Certificate

Mutual Authentication requires a TLS session and a client certificate. Both the server and the client
must verify that they are the objects that they claim to be. The client certificate was validated at the
354 Novell eDirectory 8.8 Administration Guide
You connect to the secure port or start TLS after connecting to the clear port
350. ConsoleOne and Novell iManager automatically refresh the server.
A certificate authority for the tree (the tree CA).
A KMO from the tree CA.
Section 14.5, "Refreshing the LDAP
Exporting a Trusted Root or Public Key Certificate (http://