Re: X.509 Certificates

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Brian Safford <bri...@ed...> wrote:
> I recall a thread (or two) on how to add X.509 certificates using=20
> Perl-LDAP.  I'd appreciate it if someone could send me an example or two.
>=20
> --=20
> Regards,
>=20
> Brian Safford
> EDS Digital Enablement - Perimeter Messaging
>=20
>=20

This is answered by Net::LDAP::FAQ.

-----
Using X.509 certificates.
       How do I store X.509 certificates in the directory?

       The first problem here is that there are many different
       formats to hold certificates in, for example PEM, DER,
       PKCS#7 and PKCS#12. The directory *only* uses the DER for=AD
       mat (more correctly, it only uses the BER format) which is
       a binary format.

       Your first job is to ensure that your certificates are
       therefore in DER/BER format. You could use OpenSSL to
       convert from PEM like this:

         openssl x509 -inform PEM -in cert.pem -outform DER -out cert.der

       Consult the OpenSSL documentation to find out how to per=AD
       form other conversions.

       To add a certificate to the directory, just slurp in the
       DER/BER certificate into a scalar variable, and add it to
       the entry's userCertificate attribute. How you do that
       will depend on which version of LDAP you are using.

       To slurp in the certificate try something like this:

         my $cert;
         {
            local $/ =3D undef; # Slurp mode
            open CERT, "cert.der" or die;
            $cert =3D <CERT>;
            close CERT;
         }
         # The certificate is now in $cert

       For LDAPv2, because most directory vendors ignore the
       string representation of certificates defined in RFC 1778,
       you should add this value to the directory like this:

         $res =3D $ldap->modify("cn=3DMy User, o=3DMy Company,c=3DXY",
                              add =3D> [
                                  'userCertificate' =3D> [ $cert ]
                              ]);
         die "Modify failed (" . ldap_error_name($res->code) . ")\n"
             if $res->code;

       For LDAPv3, you must do this instead:

          $res =3D $ldap->modify("cn=3DMy User, o=3DMy Company, c=3DXY",
                               add =3D> [
                                   'userCertificate;binary' =3D> [ $cert ]
                               ]);
          die "Modify failed (" . ldap_error_name($res->code) . ")\n"
              if $res->code;

       Of course, the entry you are trying to add the certificate
       to must use object classes that permit the userCertificate
       attribute, otherwise the modify will fail with an object
       class violation error. The inetOrgPerson structural object
       class permits userCertificates, as does the strongAuthen=AD
       ticationUser auxiliary object class. Others might also.
-----

Cheers,

Chris