Set up LDAP servers
Configure the LDAP Directory Information Tree (DIT) structure to use the hierarchy corresponding to the Distinguished Names of the CAs that issue the certificates and CRLs. You can set up the DIT structure with a file that uses the LDAP Data Interchange Format (LDIF). You can also use LDIF files to update a directory.
LDIF files are ASCII text files that contain the information required to define objects within an LDAP directory. LDIF files contain one or more entries, each of which comprises a Distinguished Name, at least one object class definition and, optionally, multiple attribute definitions.
The attribute...
certificateRevocationList;binary...contains a list, in binary form, of revoked user certificates. The attribute...authorityRevocationList;binary...contains a binary list of CA certificates that have been revoked. The binary data for these attributes is in PEM (Privacy-Enhanced Mail) format, that is, Base 64 encoded data. For more information about LDIF files, refer to the documentation provided with the LDAP server.Here is a sample LDIF file that you might create as input to the LDAP server to load the CRLs and ARLs issued by CA1, which is an imaginary Certification Authority with the Distinguished Name
CN=CA1, OU=Test, O=IBM, C=GB......set up by the Test organization within IBM. For example...dn: o=IBM, c=GB o: IBM objectclass: top objectclass: organization dn: ou=Test, o=IBM, c=GB ou: Test objectclass: organizationalUnit dn: cn=CA1, ou=Test, o=IBM, c=GB cn: CA1 objectclass: cRLDistributionPoint objectclass: certificationAuthority authorityRevocationList;binary:: (PEM format data) certificateRevocationList;binary:: (PEM format data) caCertificate;binary:: (PEM format data)Figure 12 shows the DIT structure that the LDAP server creates when you load the sample LDIF file shown in Figure 11 together with a similar file for CA2, an imaginary Certification Authority set up by the PKI organization, also within IBM.
Configuring and updating LDAP servers
Use the following procedure to configure or update the LDAP server:
- Obtain the CRLs and ARLs in PEM format from the Certification Authority, or Authorities.
- Using a text editor or the tool provided with the LDAP server, create one or more LDIF files that contain the Distinguished Name of the CA and the required object class definitions. Copy the PEM format data into the LDIF file as the values of either the certificateRevocationList;binary attribute, the authorityRevocationList;binary attribute, or both.
- Start the LDAP server.
- Add the entries from the LDIF file or files you created at step 2.
- Note:
- Ensure that the access control list for the LDAP server allows authorized users to read, search, and compare the entries that hold the CRLs and ARLs.