Hi there folks

I have been struggling with TLS/SSL setup on a standalone Directory Server running on Centos 6.7. I have followed instructions for setup of TLS/SSL from here mainly:


Though I had to adapt a couple of things with pointers from elsewhere to get the whole thing tied up. This is using a self-signed certificate. I have searched the web high and low and have read through the official 389-ds doc above as well as Redhat docs and numerous random guides on the web to try and piece this together.

The basic steps I ended up with after trial and error were as follows:

1) Create password files for use in certificate generation pwdfile and noisefile
2) Create new key and certificate databases for Directory Server - certutil -N -d . -f pwdfile.txt
3) Generate an encryption key for the CA - certutil -G -d . -z noisefile.txt -f pwdfile.txt)
4) Generate self signed CA certificate - certutil -S -n "CA certificate" -s "cn=CAcert" -2 -x -t "CT,," -m 1000 -v 120 -d . -z noisefile.txt -f pwdfile.txt
5) Export CA certificate to ASCII (.pem) format for use on Admin Server (and other LDAP servers) - certutil -L -d .  -n “CA certificate” -a > cacert.asc
6) Generate Directory Server client certificate -  certutil -S -n "DS-Server-Cert" -s "cn=example.com,ou=389 Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noisefile.txt -f pwdfile.txt
7) Generate server certificate for the Admin Server -  certutil -S  -n "admin-server-cert" -s "cn=example.com,ou=389 Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z noisefile.txt -f pwdfile.txt
8) Use pk12util to create a pkcs12 file of all 3 certificates created -  pk12util -d . -o cacert.pk12 -n “CA certificate” -w pk12password.txt -k pwdfile.txt
9) Export Admin Server certificate/private key to admin-serv directory -  pk12util -d /etc/dirsrv/admin-serv/ -n “admin-server-cert” -i admincert.p12 -w pk12password.txt -k pwdfile.txt
10) Import CA into the Admin-Serv directory -  certutil -A -d /etc/dirsrv/admin-serv/ -n "CA certificate" -t "CT,," -a -i cacert.asc
11) Set pin and password.conf files for use during server restarts
12) Add selinux role to fix Admin Server access post password.conf file creation -  restorecon -v /etc/dirsrv/admin-serv/nss.conf
13) Set server to only accept TLS/SSL connections

I have done this in stages snapshotting the vm and documenting as I go and everything seems fine up til enabling SSL on the directory server. Note I have ntpd setup pointing to an AD DC and after each snapshot reverse am syncing time with that so its not a date/time sync issue or at least I don't believe so.

Once I check the Use SSL on Console box on Directory Server I can login to the console (over http) but on trying to open the Directory Server under Server Group I'm presented with a login box with DN name populated as: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot.

I saw someone else in the archives had this error and the suggested reason from one of the users was: The prompt is a password to unlock the NSS DB key file used for SSL on an RHDS instance. Which I take to be equivalent to password set in the pwdfile.txt file but adding this I get "Cannot connect to LDAP Server".

On setting the Admin Server console to use SSL I can no longer access the web console and get error:

Cannot connect to the Admin Server "https://example.com:9830/"
The URL is not correct or the server is not running.

Checking the logs in /var/log/dirsrv/admin-serv/error I see the following:

[Mon Jan 25 00:01:06 2016] [error] SSL Library Error: -12271 SSL client cannot verify your certificate

I have tested connection using openssl s_client -connect target_server_fqdn:636 and get back what looks like valid content. And ldapsearch -x -ZZ '(uid=tnumber1)' returns valid content also so looks to me like SSL and TLS are setup correctly. Certs showed in the console ok though the CAcert was listed on server tab of the directory console, is that correct? Admin-Serv shows server cert on server tab and CAcert on cacert tab,

Am I correct in assuming that the admin server speaks to the directory server over port 636 and that enabling SSL for the admin server should allow connection using https://example.com:9830 still?

Have I missed any obvious steps in my certificate setup? Is there any way other than what I've tried so far to verify that the SSL stuff is setup correctly? And is enabling SSL on the Admin Server (encryption tab, configuration ds tab and user ds tabs all completed) sufficient to require https access to the java console?

Hoping someone can shed some light on where I've been going wrong. I'm happy to provide more information or log output if required,

thanks in advance.