在LDAP中CA、CRL的发布属性
文章摘自
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Configuring_Publishers_for_LDAP_Publishing.html
主要介绍了在LDAP中CA、CRL文件的所需配置对象和属性。
7.4. Configuring Publishing to an LDAP Directory
The general process to configure publishing involves setting up a publisher to
publish the certificates or CRLs to the specific location. There can be a single
publisher or multiple publishers, depending on how many locations will be used.
The locations can be split by certificates and CRLs or finer definitions, such as
certificate type. Rules determine which type to publish and to what location by
being associated with the publisher.Configuring LDAP publishing is similar to other
publishing procedures, with additional steps to configure the directory:
1. Configure the Directory Server to which certificates will be published.
Certain attributes have to be added to entries and bind identities and
authentication methods have to be configured.
2. Configure a publisher for each type of object published: CA certificates,
cross-pair certificates, CRLs, and user certificates. The publisher declares
in which attribute to store the object. The attributes set by default are the X.500
standard attributes for storing each object type. This attribute can be changed in
the publisher, but, generally, it's not necessary to change the LDAP publishers.
3. Set up mappers to enable an entry's DN to be derived from the certificate's subject name.
This generally does not need set for CA certificates, CRLs, and user certificates.
There can be more than one mapper set for a type of certificate. This can be useful,
for example, to publish certificates for two sets of users from different divisions of a company
who are located in different parts of the directory tree. A mapper is created for each of the
groups to specify a different branch of the tree.
For details about setting up mappers, see Section 7.4.3, “Creating Mappers”.
4. Create rules to connect publishers to mappers, as described in Section 7.5, “Creating Rules”.
5. Enable publishing, as described in Section 7.6, “Enabling Publishing”.
7.4.1. Configuring the LDAP Directory
Before certificates and CRLs can be published, the Directory Server must be
configured to work with the publishing system. This means that user entries must
have attributes that allow them to receive certificate information,
and entries must be created to represent the CR.
1.Set up the entry for the CA. For the Certificate Manager to publish its
CA certificate and CRL, the directory must include an entry for the CA.
TIP:
When LDAP publishing is configured, the Certificate Manager
automatically creates or converts an entry for the CA in the directory.
This option is set in both the CA and CRL mapper instances and enabled by default.
If the directory restricts the Certificate Manager from creating entries in the directory,
turn off this option in those mapper instances, and add an entry for the CA manually in the directory.
When adding the CA's entry to the directory, select the entry type based on the DN of the CA:
(1)If the CA's DN begins with the cn component, create a new person entry for the CA.
Selecting a different type of entry may not allow the cn component to be specified.
(2)If the CA's DN begins with the ou component, create a new organizationalunit entry for the CA.
The entry does not have to be in the pkiCA or certificationAuthority object class.
The Certificate Manager will convert this entry to the pkiCA or certificationAuthority
object class automatically by publishing its CA's signing certificate.
NOTE:
The pkiCA object class is defined in RFC 4523, while the certificationAuthority object
class is defined in the (obsolete) RFC 2256. Either object class is acceptable, depending on
the schema definitions used by the Directory Server. In some situations,
both object classes can be used for the same CA entry.
For more information on creating directory entries, see the Red Hat Directory Server documentation.
2. Add the correct schema elements to the CA and user directory entries.
For a Certificate Manager to publish certificates and CRLs to a directory,
it must figured with specific attributes and object classes.
Object Type : End-entity certificate
Schema : userCertificate;binary (attribute)
Reason : This is the attribute to which the Certificate Manager publishes the certificate.
This is a multi-valued attribute, and each value is a DER-encoded binary X.509 certificate.
The LDAP object class named inetOrgPerson allows this attribute. The strongAuthenticationUser
object class allows this attribute and can be combined with any other object class to allow
certificates to be published to directory entries with other object classes.
The Certificate Manager does not automatically add this object class to the schema table of
the corresponding Directory Server.If the directory object that it finds does not allow
the userCertificate;binary attribute, adding or removing the certificate fails.
Object Type : CA certificate
Schema : caCertificate;binary (attribute)
Reason : This is the attribute to which the Certificate Manager publishes the certificate.
The Certificate Manager publishes its own CA certificate to its own LDAP directory
entry when the server starts. The entry corresponds to the Certificate Manager's issuer name.
This is a required attribute of the pkiCA or certificationAuthority object class.
The Certificate Manager adds this object class to the directory entry for
the CA if it can find the CA's directory entry.
Object Type : CRL
Schema : certificateRevocationList;binary (attribute)
Reason : This is the attribute to which the Certificate Manager publishes the CRL.
The Certificate Manager publishes the CRL to its own LDAP directory entry.
The entry corresponds to the Certificate Manager's issuer name.
This is an attribute of the pkiCA or certificationAuthority object class.
The value of the attribute is the DER-encoded binary X.509 CRL. The CA's entry
must already contain the pkiCA or certificationAuthority object class for the CRL to be published to the entry.
Object Type : Delta CRL
Schema : deltaRevocationList;binary (attribute)
Reason : This is the attribute to which the Certificate Manager publishes the delta CRL.
The Certificate Manager publishes the delta CRL to its own LDAP directory entry,
separate from the full CRL. The delta CRL entry corresponds to the Certificate Manager's issuer name.
This attribute belongs to the deltaCRL or certificationAuthority-V2 object class.
The value of the attribute is the DER-encoded binary X.509 delta CRL.
3. Set up a bind DN for the Certificate Manager to use to access the Directory Server.
The Certificate Manager user must have read-write permissions to the directory to
publish certificates and CRLs to the directory so that the Certificate Manager can
modify the user entries with certificate-related information and the CA
entry with CA's certificate and CRL related information.
The bind DN entry can be either of the following:
(1) An existing DN that has write access, such as the Directory Manager.
(2) A new user which is granted write access. The entry can be identified by
the Certificate Manager's DN, such as cn=testCA, ou=Research Dept, o=Example Corporation, st=California, c=US.
Note:
Carefully consider what privileges are given to this user. This user can be restricted in what
it can write to the directory by creating ACLs for the account. For instructions on giving write
access to the Certificate Manager's entry, see the Directory Server documentation.
4. Set the directory authentication method for how the Certificate Manager authenticates to Directory Server.
There are three options: basic authentication (simple username and password);
SSL without client authentication (simple username and password); and SSL with client authentication (certificate-based).
See the Red Hat Directory Server documentation for instructions on setting up these methods of communication with the server.