1 .TH SLAPO-AUTOCA 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2009-2018 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copyright 2009-2018 Howard Chu All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
7 slapo\-autoca \- Automatic Certificate Authority overlay to slapd
11 The Automatic CA overlay generates X.509 certificate/key pairs for
12 entries in the directory. The DN of a generated certificate is
13 identical to the DN of the entry containing it. On startup it
14 looks for a CA certificate and key in the suffix entry of the
15 database which it will use to sign all subsequently generated
16 certificates. A new CA certificate and key will be generated
17 and stored in the suffix entry if none already exists. The CA
18 certificate is stored in the cACertificate;binary attribute of
19 the suffix entry, and the private key is stored in the
20 cAPrivateKey;binary attribute of the suffix entry. These
21 attributes may be overwritten if some other CA certificate/key
22 pair is desired for use.
24 Certificates for users and servers are generated on demand using
25 a Search request returning only the userCertificate;binary and
26 userPrivateKey;binary attributes. Any Search for anything besides
27 exactly these two attributes is ignored by the overlay. Note that
28 these values are stored in ASN.1 DER form in the directory so the
29 ";binary" attribute option is mandatory.
31 Entries that do not belong to selected objectClasses will be
32 ignored by the overlay. By default, entries of objectClass
34 will be treated as users, and entries of objectClass
36 will be treated as servers. There are slight differences in the
37 set of X.509V3 certificate extensions added to the certificate
38 between users and servers.
40 The CA's private key is stored in a
42 attribute, and user and server private keys are stored in the
44 attribute. The private key values are encoded in PKCS#8 format.
45 It is essential that access to these attributes be
46 properly secured with ACLs. Both of these attributes inherit
49 attribute, so it is sufficient to use a single ACL rule like
52 access to attrs=x509PrivateKey by self ssf=128 write
55 at the beginning of the rules.
57 Currently there is no automated management for expiration or revocation.
58 Obsolete certificates and keys must be manually removed by deleting
59 an entry's userCertificate and userPrivateKey attributes.
64 options apply to the Automatic CA overlay.
65 They should appear after the
69 .B userClass <objectClass>
70 Specify the objectClass to be treated as user entries.
72 .B serverClass <objectClass>
73 Specify the objectClass to be treated as server entries.
75 .B userKeybits <integer>
76 Specify the size of the private key to use for user certificates.
77 The default is 2048 and the minimum is 512.
79 .B serverKeybits <integer>
80 Specify the size of the private key to use for server certificates.
81 The default is 2048 and the minimum is 512.
83 .B caKeybits <integer>
84 Specify the size of the private key to use for the CA certificate.
85 The default is 2048 and the minimum is 512.
88 Specify the duration for a user certificate's validity.
89 The default is 365, 1 year.
91 .B serverDays <integer>
92 Specify the duration for a server certificate's validity.
93 The default is 1826, 5 years.
96 Specify the duration for the CA certificate's validity.
97 The default is 3652, 10 years.
100 Specify the DN of an entry that represents this server. Requests
101 to generate a certificate/key pair for this DN will also install
102 the certificate and key into slapd's TLS settings in cn=config
115 default slapd configuration file
118 .BR slapd\-config (5).
projects / openldap / blob