Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to save the LDAP SSL Certificate from OpenSSL

I wanted the SSL Certificate of my LDAP Server which is Novell eDirectory. I have used openssl to connect to ldap to view the certificate.

openssl s_client -connect 192.168.1.225:636 

It is just printing the certificate. How can I save this to some certificate format file?

like image 455
Dungeon Hunter Avatar asked Aug 16 '11 20:08

Dungeon Hunter


People also ask

How do I export my LDAP certificate?

Go to Certification Path and select the top certificate. Click View Certificate. Go to the Details tab and select Copy to File. In the Certificate Export Wizard, click Next.

Where is LDAP certificate stored?

The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store). A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate.


2 Answers

Copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (including these delimiters) and paste it in a new text file (usually with the extension .pem or .crt). You can use your favourite (plain) text editor for this, for example Notepad, Gedit, Vim, Emacs (depending on the system you're using).

Alternatively, you can pipe the output to sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p', as described here:

echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem 
like image 171
Bruno Avatar answered Sep 28 '22 02:09

Bruno


For those looking to grab the certs over a LDAP connection using StartTLS:

I have re-submitted a patch to OpenSSL to support LDAP when using -starttls for s_client. So eventually this should work (if it ever makes it in I guess -- not yet as of 10/18/16):

openssl s_client -connect servername:389 -starttls ldap -showcerts

Edit: Support was eventually merged under this PR. C is not my forte so luckily someone else ran with it ;)

I also wrote a PHP function to extract the SSL certificates after issuing a STARTTLS command over a TCP connection. It could easily be ported to other languages with a little work:

/**  * @param string $server The server name to connect to  * @param int $port The standard LDAP port  * @return array In the form of ['peer_certificate' => '', 'peer_certificate_chain' => [] ]  */ function getLdapSslCertificates($server, $port = 389) {     $certificates = [         'peer_certificate' => null,         'peer_certificate_chain' => [],     ];     // This is the hex encoded extendedRequest for the STARTTLS operation...     $startTls = hex2bin("301d02010177188016312e332e362e312e342e312e313436362e3230303337");     $opts = [         'ssl' => [             'capture_peer_cert' => true,             'capture_peer_cert_chain' => true,             'allow_self_signed' => true,             'verify_peer' => false,             'verify_peer_name' => false,         ],     ];      $context = stream_context_create($opts);     $client = @stream_socket_client(         "tcp://$server:$port",         $errorNumber,         $errorMessage,         5,         STREAM_CLIENT_CONNECT,         $context     );     @stream_set_timeout($client, 2);     @fwrite($client, $startTls);     @fread($client, 10240);     @stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);     $info = @stream_context_get_params($client);      if (!$info) {         return $certificates;     }     openssl_x509_export($info['options']['ssl']['peer_certificate'], $certificates['peer_certificate']);      foreach ($info['options']['ssl']['peer_certificate_chain'] as $index => $cert) {         $certChain = '';         openssl_x509_export($cert, $certChain);         $certificates['peer_certificate_chain'][$index] = $certChain;     }     @fclose($client);      return $certificates; } 

The above function will return an array containing the peer certificate and the peer certificate chain. So it could be used like so:

// Just pass it the server name $certificates = getLdapSslCertificates('dc1.example.local');  // The certificates are in the array as strings in PEM format echo $certificates['peer_certificate'].PHP_EOL; foreach ($certificates['peer_certificate_chain'] as $cert) {     echo $cert.PHP_EOL; } 
like image 38
ChadSikorra Avatar answered Sep 28 '22 02:09

ChadSikorra