openldap/doc/man/man5/slapo-autoca.5

.TH SLAPO-AUTOCA 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2009-2017 The OpenLDAP Foundation All Rights Reserved.
.\" Copyright 2009-2017 Howard Chu All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo\-autoca \- Automatic Certificate Authority overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Automatic CA overlay generates X.509 certificate/key pairs for
entries in the directory. The DN of a generated certificate is
identical to the DN of the entry containing it. On startup it
checks for a CA certificate in the suffix entry of the database
and generates and stores one if not found. This CA certificate
is used to sign all subsequently generated certificates.
.LP
Certificates for users and servers are generated on demand using
a Search request returning only the userCertificate;binary and
userPrivateKey;binary attributes. Any Search for anything besides
exactly these two attributes is ignored by the overlay. Note that
these values are stored in ASN.1 DER form in the directory so the
";binary" attribute option is mandatory.
.LP
Entries that do not belong to selected objectClasses will be
ignored by the overlay. By default, entries of objectClass
.B person
will be treated as users, and entries of objectClass
.B ipHost
will be treated as servers. There are slight differences in the
set of X.509V3 certificate extensions added to the certificate
between users and servers.
.LP
The CA's private key is stored in a
.B cAPrivateKey
attribute, and user and server private keys are stored in the
.B userPrivateKey
attribute. It is essential that access to these attributes be
properly secured with ACLs. Both of these attributes inherit
from the
.B x509PrivateKey
attribute, so it is sufficient to use a single ACL rule like

.nf
        access to attrs=x509PrivateKey by self ssf=128 write
.fi

at the beginning of the rules.

.SH CONFIGURATION
These
.B slapd.conf
options apply to the Automatic CA overlay.
They should appear after the
.B overlay
directive.
.TP
.B userClass <objectClass>
Specify the objectClass to be treated as user entries.
.TP
.B serverClass <objectClass>
Specify the objectClass to be treated as server entries.
.TP
.B userKeybits <integer>
Specify the size of the private key to use for user certificates.
The default is 2048 and the minimum is 512.
.TP
.B serverKeybits <integer>
Specify the size of the private key to use for server certificates.
The default is 2048 and the minimum is 512.
.TP
.B caKeybits <integer>
Specify the size of the private key to use for the CA certificate.
The default is 2048 and the minimum is 512.
.TP
.B userDays <integer>
Specify the duration for a user certificate's validity.
The default is 365, 1 year.
.TP
.B serverDays <integer>
Specify the duration for a server certificate's validity.
The default is 1826, 5 years.
.TP
.B caDays <integer>
Specify the duration for the CA certificate's validity.
The default is 3652, 10 years.

.SH EXAMPLES
.nf
  database mdb
  ...
  overlay autoca
  caKeybits 4096
.fi
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5).
.SH AUTHOR
Howard Chu
Add autoca overlay Automated certificate authority 2017-04-07 22:25:37 +08:00			`.TH SLAPO-AUTOCA 5 "RELEASEDATE" "OpenLDAP LDVERSION"`
			`.\" Copyright 2009-2017 The OpenLDAP Foundation All Rights Reserved.`
			`.\" Copyright 2009-2017 Howard Chu All Rights Reserved.`
			`.\" Copying restrictions apply. See COPYRIGHT/LICENSE.`
			`.\" $OpenLDAP$`
			`.SH NAME`
			`slapo\-autoca \- Automatic Certificate Authority overlay to slapd`
			`.SH SYNOPSIS`
			`ETCDIR/slapd.conf`
			`.SH DESCRIPTION`
			`The Automatic CA overlay generates X.509 certificate/key pairs for`
			`entries in the directory. The DN of a generated certificate is`
			`identical to the DN of the entry containing it. On startup it`
			`checks for a CA certificate in the suffix entry of the database`
			`and generates and stores one if not found. This CA certificate`
			`is used to sign all subsequently generated certificates.`
			`.LP`
			`Certificates for users and servers are generated on demand using`
			`a Search request returning only the userCertificate;binary and`
			`userPrivateKey;binary attributes. Any Search for anything besides`
			`exactly these two attributes is ignored by the overlay. Note that`
			`these values are stored in ASN.1 DER form in the directory so the`
			`";binary" attribute option is mandatory.`
			`.LP`
			`Entries that do not belong to selected objectClasses will be`
			`ignored by the overlay. By default, entries of objectClass`
			`.B person`
			`will be treated as users, and entries of objectClass`
			`.B ipHost`
			`will be treated as servers. There are slight differences in the`
			`set of X.509V3 certificate extensions added to the certificate`
			`between users and servers.`
			`.LP`
			`The CA's private key is stored in a`
			`.B cAPrivateKey`
			`attribute, and user and server private keys are stored in the`
			`.B userPrivateKey`
			`attribute. It is essential that access to these attributes be`
			`properly secured with ACLs. Both of these attributes inherit`
			`from the`
			`.B x509PrivateKey`
			`attribute, so it is sufficient to use a single ACL rule like`

			`.nf`
			`access to attrs=x509PrivateKey by self ssf=128 write`
			`.fi`

			`at the beginning of the rules.`

			`.SH CONFIGURATION`
			`These`
			`.B slapd.conf`
			`options apply to the Automatic CA overlay.`
			`They should appear after the`
			`.B overlay`
			`directive.`
			`.TP`
			`.B userClass <objectClass>`
			`Specify the objectClass to be treated as user entries.`
			`.TP`
			`.B serverClass <objectClass>`
			`Specify the objectClass to be treated as server entries.`
			`.TP`
			`.B userKeybits <integer>`
			`Specify the size of the private key to use for user certificates.`
			`The default is 2048 and the minimum is 512.`
			`.TP`
			`.B serverKeybits <integer>`
			`Specify the size of the private key to use for server certificates.`
			`The default is 2048 and the minimum is 512.`
			`.TP`
			`.B caKeybits <integer>`
			`Specify the size of the private key to use for the CA certificate.`
			`The default is 2048 and the minimum is 512.`
			`.TP`
			`.B userDays <integer>`
			`Specify the duration for a user certificate's validity.`
			`The default is 365, 1 year.`
			`.TP`
			`.B serverDays <integer>`
			`Specify the duration for a server certificate's validity.`
			`The default is 1826, 5 years.`
			`.TP`
			`.B caDays <integer>`
			`Specify the duration for the CA certificate's validity.`
			`The default is 3652, 10 years.`

			`.SH EXAMPLES`
			`.nf`
			`database mdb`
			`...`
			`overlay autoca`
			`caKeybits 4096`
			`.fi`
			`.SH FILES`
			`.TP`
			`ETCDIR/slapd.conf`
			`default slapd configuration file`
			`.SH SEE ALSO`
			`.BR slapd.conf (5),`
			`.BR slapd\-config (5).`
			`.SH AUTHOR`
			`Howard Chu`