[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing X509 certificates in LDAP?

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Storing X509 certificates in LDAP?
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 07 Apr 2003 12:00:35 +0200
In-reply-to: <1049694930.1172.8.camel@marin>
References: <20030407044606.56479.qmail@web20603.mail.yahoo.com> <1049694930.1172.8.camel@marin>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312

Dieter Kluenter wrote:

A X.509 certificate is a base64 encoded attribute value.


Just to avoid confusion and further questions let us be more precise:

When storing X.509 certificates via LDAP you have to transmit the raw DER encoding without(!) base64. With OpenLDAP you have to use binary transfer encoding (userCertificate;binary). Also note that the base64-encoded form with BEGIN/END CERTIFICATE lines does not work!

When specifying a binary blob in an LDIF file you have to use this form (see RFC2849):

userCertificate;binary:: <multiple lines of base64-encoded binary blob>
                      ^^
Note the double colon!

Another option is to use URLs in LDIF:

userCertificate;binary:< file:///..../user.crt

When creating LDIF best bet is to use a LDIF module for your favourite programming language which does the job for you.

Ciao, Michael.

References:
- Storing X509 certificates in LDAP?
  - From: Mark Liu <markliu1989@yahoo.com>
- Re: Storing X509 certificates in LDAP?
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: RE: back-ldap proxying group membership lookups result in "No such attribute"
Next by Date: Re: cn=Log,cn=Monitor
Index(es):
- Chronological
- Thread