Install and Protect LDAP Certificate Files
An XCCDF Group
Description
Create the PKI directory for LDAP certificates if it does not already exist:
$ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tls/ldap $ sudo chmod 755 /etc/pki/tls/ldapUsing removable media or some other secure transmission format, install the certificate files onto the LDAP server:
-
/etc/pki/tls/ldap/serverkey.pem
: the private keyldapserverkey.pem
-
/etc/pki/tls/ldap/servercert.pem
: the certificate fileldapservercert.pem
$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem $ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem $ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem $ sudo chmod 640 /etc/pki/tls/ldap/servercert.pemVerify that the CA's public certificate file has been installed as
/etc/pki/tls/CA/cacert.pem
, and has the correct permissions:
$ sudo mkdir /etc/pki/tls/CA $ sudo chown root:root /etc/pki/tls/CA/cacert.pem $ sudo chmod 644 /etc/pki/tls/CA/cacert.pemAs a result of these steps, the LDAP server will have access to its own private certificate and the key with which that certificate is encrypted, and to the public certificate file belonging to the CA. Note that it would be possible for the key to be protected further, so that processes running as ldap could not read it. If this were done, the LDAP server process would need to be restarted manually whenever the server rebooted.
- ID
- xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files
- Child Items
- Updated