.TH SLAPO-AUTOCA 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" Copyright 2009-2017 The OpenLDAP Foundation All Rights Reserved. .\" Copyright 2009-2017 Howard Chu All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME slapo\-autoca \- Automatic Certificate Authority overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION The Automatic CA overlay generates X.509 certificate/key pairs for entries in the directory. The DN of a generated certificate is identical to the DN of the entry containing it. On startup it checks for a CA certificate in the suffix entry of the database and generates and stores one if not found. This CA certificate is used to sign all subsequently generated certificates. .LP Certificates for users and servers are generated on demand using a Search request returning only the userCertificate;binary and userPrivateKey;binary attributes. Any Search for anything besides exactly these two attributes is ignored by the overlay. Note that these values are stored in ASN.1 DER form in the directory so the ";binary" attribute option is mandatory. .LP Entries that do not belong to selected objectClasses will be ignored by the overlay. By default, entries of objectClass .B person will be treated as users, and entries of objectClass .B ipHost will be treated as servers. There are slight differences in the set of X.509V3 certificate extensions added to the certificate between users and servers. .LP The CA's private key is stored in a .B cAPrivateKey attribute, and user and server private keys are stored in the .B userPrivateKey attribute. It is essential that access to these attributes be properly secured with ACLs. Both of these attributes inherit from the .B x509PrivateKey attribute, so it is sufficient to use a single ACL rule like .nf access to attrs=x509PrivateKey by self ssf=128 write .fi at the beginning of the rules. .SH CONFIGURATION These .B slapd.conf options apply to the Automatic CA overlay. They should appear after the .B overlay directive. .TP .B userClass Specify the objectClass to be treated as user entries. .TP .B serverClass Specify the objectClass to be treated as server entries. .TP .B userKeybits Specify the size of the private key to use for user certificates. The default is 2048 and the minimum is 512. .TP .B serverKeybits Specify the size of the private key to use for server certificates. The default is 2048 and the minimum is 512. .TP .B caKeybits Specify the size of the private key to use for the CA certificate. The default is 2048 and the minimum is 512. .TP .B userDays Specify the duration for a user certificate's validity. The default is 365, 1 year. .TP .B serverDays Specify the duration for a server certificate's validity. The default is 1826, 5 years. .TP .B caDays Specify the duration for the CA certificate's validity. The default is 3652, 10 years. .SH EXAMPLES .nf database mdb ... overlay autoca caKeybits 4096 .fi .SH FILES .TP ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO .BR slapd.conf (5), .BR slapd\-config (5). .SH AUTHOR Howard Chu