Description
You can use dxcertgen to create users certificates at the same time as generating the DSA certificates.
By specifying the location and passwords to the java keystores, dxcertgen can automatically
add the newly created CA and user certificates into the cakeystore and the clientkeystore.
Solution
Assumptions
The DSA that you will be using to authenticate will have a prefix of:
"o=Democorp,c=au"
The LDIF containing the user entries will be located in the root of C Drive (C:\).
Procedure
In order to create user certificates using Dxcertgen, you need to have the following already prepared:
Create the LDIF file
The LDIF file can be a full LDIF dump of the selected users.
Make note of where you save this file as it's fully qualified path will be used when generating the certificates.
In the LDIF file below, the following user certificates will be created:
version: 1
dn: cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Joe Bloggssn: BLOGS
dn: cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Marjorie SIMPERsn: SIMPER
Java Environment Variables Configured
In order to run the dxcertgen tool and have it access the keystores, you will need to define several environment variables.
C:\Program Files\Java\jre1.6.0_07
C:\Program Files\Java\jre1.6.0_07\bin
keytool
The output of the keytool will begin with the following output:C:\>keytoolkeytool usage: -certreq [-v] [-protected] [-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg> ]] ... [-providerpath <pathlist> ]Note: The keytool utility is a Java utility and is documented on the java keytool web page on the Java web site http://java.sun.com.
Location of keystores
The location of the keystores for the open source version of Jxplorer can be found in the following
folder (assuming that the default installation location was used):
C:\Program Files\JXplorer\security
The keystores and their default passwords are listed below:
<Please see attached file for image>
Running the Dxcertgen command
The dxcertgen command below will perform several tasks. They are:
dxcertgen -u "C:\users.ldif" -c "C:\Program
Files\JXplorer\security\clientcerts" -C passphrase -s
"C:\Program Files\JXplorer\security\cacerts" -S changeit certsThe output for the Dxcertgen command will look like the following:
Setting root certificate and public/private keys for signing...Exporting certificate 'dxcertgen' from C:\Program Files\JXplorer\security\cacerts...alias 'dxcertgen' not foundGenerating public and private key pair...Generating key pair for 'dxcertgen' in C:\Program Files\JXplorer\security\cacerts...Exporting certificate 'dxcertgen' from C:\Program Files\JXplorer\security\cacerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'dxcertgen' into C:\Program Files\JXplorer\security\cacerts...Importing certificate 'dxcertgen' into C:\Program Files\JXplorer\security\clientcerts...Writing root certificate to trusted.pem...
Generating DXserver personalities from server files...Generating a new personality certificate for lang...Generating a 1024-bit RSA public/private key pair..............++++++............++++++Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Writing personality certificate to C:\Program
Files\CA\Directory\dxserver\config\ssld\personalities\ lang.pem...Generating a new personality certificate for democorp...Generating a 1024-bit RSA public/private key pair.......................................................++++++...............++++++Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Writing personality certificate to C:\Program
files\CA\Directory\dxserver\config\ssld\personalities\ democorp.pem...
Generating user certificates...
Generating a new user certificate for Joe_Bloggs...Generating public and private key pair...Generating key pair for 'Joe_Bloggs' in C:\Program Files\JXplorer\security\clientcerts...Exporting certificate 'Joe_Bloggs' from C:\Program Files\JXplorer\security\clientcerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'Joe_Bloggs' into C:\Program
Files\JXplorer\security\clientcerts...Generating a new user certificate for Marjorie_SIMPER...Generating public and private key pair...Generating key pair for 'Marjorie_SIMPER' in C:\Program
Files\JXplorer\security\clientcerts...Exporting certificate 'Marjorie_SIMPER' from C:\Program
Files\JXplorer\security\clientcerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'Marjorie_SIMPER' into C:\Program
Files\JXplorer\security\clientcerts...
Done.
Verification
Once the command is complete, you should see the following certificates in the Java Keystores that Jxplorer accesses:
<Please see attached file for image>
<Please see attached file for image>
Connecting to CA Directory using your newly added keys
In order for you to be able to use your new CA and user certificates to connect to a DSA, the following must be in place:
"o=Democorp,c=au".
version: 1
dn: ou=Corporate,o=Democorp,c=auobjectClass: organizationalUnit
dn: ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: organizationalUnit
dn: cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Joe Bloggssn: BLOGGS
dn: cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Marjorie SIMPERsn: SIMPER
dxmodify -a -c -h {hostName} -p {DSA Port} -f {LDIFFileName}
ssld install ssldservice -ca config/ssld/trusted.pem -certs
config/ssld/personalities
ssld start ssldservice
dxserver stop {dsaName}Then you need to restart the DSA
dxserver start {dsaName}
<Please see attached file for image>
Once connected you should see the DIT structure of the Directory:
<Please see attached file for image>