From ba0d1540e156f9a0de954d6548dfb37d979d9f51 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Thu, 31 Aug 2023 15:04:25 +0200 Subject: [PATCH 1/4] Use update-ca-trust to import LDAP certificate It's also not needed to restart the service. --- .../proc_configuring-tls-for-secure-ldap.adoc | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc index ef940a254af..ae61641706d 100644 --- a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc +++ b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc @@ -15,27 +15,18 @@ endif::[] You will remove the certificate when finished. + The filename extensions `.cer` and `.crt` are only conventions and can refer to DER binary or PEM ASCII format certificates. -. Add the LDAP certificate to your CA trust list: -.. Install the LDAP certificate in the `/etc/pki/tls/certs/` directory with the correct permissions: +. Add the LDAP server certificate to the system trust store: +.. Import the certificate: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# install /tmp/_example.crt_ /etc/pki/tls/certs/ +# cp /tmp/_example.crt_ /etc/pki/tls/source/anchors ---- -+ -LDAP certificates must be individual files. -.. Create a symbolic link to the LDAP certificate: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ln -s _example.crt_ /etc/pki/tls/certs/$(openssl \ -x509 -noout -hash -in \ -/etc/pki/tls/certs/_example.crt_).0 ----- -.. Restart the `httpd` service: +.. Update the certificate authority trust store: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# systemctl restart httpd +# update-ca-trust enable +# update-ca-trust ---- . Delete the downloaded LDAP certificate from the temporary location on your {ProjectServer}. From bde1f0bb99670b57aeef98ca6ca64efaa353ddab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 6 Dec 2024 09:11:03 +0100 Subject: [PATCH 2/4] Fix commands to update the CA trust store --- .../common/modules/proc_configuring-tls-for-secure-ldap.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc index ae61641706d..507d5e6241a 100644 --- a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc +++ b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc @@ -26,7 +26,6 @@ The filename extensions `.cer` and `.crt` are only conventions and can refer to + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# update-ca-trust enable -# update-ca-trust +# update-ca-trust extract ---- . Delete the downloaded LDAP certificate from the temporary location on your {ProjectServer}. From 267f92171c5ff6eef2116a157f7d712e604dc009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 6 Dec 2024 09:27:20 +0100 Subject: [PATCH 3/4] s/trust store/truststore --- .../common/modules/proc_configuring-tls-for-secure-ldap.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc index 507d5e6241a..56f0552b5d9 100644 --- a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc +++ b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc @@ -15,14 +15,14 @@ endif::[] You will remove the certificate when finished. + The filename extensions `.cer` and `.crt` are only conventions and can refer to DER binary or PEM ASCII format certificates. -. Add the LDAP server certificate to the system trust store: +. Add the LDAP server certificate to the system truststore: .. Import the certificate: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- # cp /tmp/_example.crt_ /etc/pki/tls/source/anchors ---- -.. Update the certificate authority trust store: +.. Update the certificate authority truststore: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- From bf3daf60ed127f66de236353e368a9bf837dd5ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 6 Dec 2024 13:21:22 +0100 Subject: [PATCH 4/4] Link to RHEL docs for details about update-ca-trust --- .../common/modules/proc_configuring-tls-for-secure-ldap.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc index 56f0552b5d9..231146c9ee4 100644 --- a/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc +++ b/guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc @@ -29,3 +29,8 @@ The filename extensions `.cer` and `.crt` are only conventions and can refer to # update-ca-trust extract ---- . Delete the downloaded LDAP certificate from the temporary location on your {ProjectServer}. + +ifndef::orcharhino[] +.Additional resources +* For more information about adding certificates to the system truststore, see link:{RHELDocsBaseURL}9/html/securing_networks/using-shared-system-certificates_securing-networks[Using shared system certificates] in _{RHEL}{nbsp}9 Securing networks_. +endif::[]