LDAP Browser and SSL

For the most part getting Jarek Gawor’s LDAP Browser-Editor (LBE) to work with SSL-enabled LDAP, or LDAPS, is no big deal. Most of the time it will simply retrieve the server’s SSL certificate and then import it into a hidden keystore.

Sometimes, however, you’ll get this error when trying to connect over LDAPS:

"CA certificate is not in the server certificate chain. Please use the keytool command to import the server certificate"

As a Java application, LBE uses Sun’ proprietary certificate keystore to perform secure operations.

If you get the error above, you will need to manually import the root certificate for the CA (Certificate Authority) that signed the LDAPS server’s cert into a keystore that LBE has been configured to use. The root CA cert is preferred because it will allow you to connect to additional servers whose local certificates have been signed by it.

Probably the easiest way to retrieve a root CA cert is to go to the CA’s web site and download it. Failing that, you can first import it into a web browser like Firefox and then export it to a file.

To retrieve the CA’s cert using openssl, issue this command:

openssl s_client -showcerts -connect ldap.example.com:636

Once you have the CA cert file, then you need to import it into your Java keystore.

This is done using Sun’s keytool.

You can import into the system-wide keystore file,

$JAVA_HOME/lib/security/cacerts

. To do this issue the command:

keytool -import 
-alias cacert.org -file cacert.pem 
-keystore  $JAVA_HOME/lib/security/cacerts 
-storetype jks

(note that the default password for the keystore is “changeit”, unless someone has deliberately changed it to something more secure — with you should)

To list the contents of the cacerts file:

keytool -list 
-storetype jks 
-keystore $JAVA_HOME/lib.security/cacerts

To keep things relatively clean (and to avoid damaging the system keystore), I usually import the cert into a separate keystore that I make in the LBE application directory:

keytool -import 
-file cacert.pem 
-keystore /opt/ldapbrowser/lbe.keystore

Note the password provided to create the keystore.

Then create an lbe.properties file in the app directory (e.g. /opt/ldapbrowser/lbe.properties) with the following lines:

cacert.file=/opt/ldapbrowser/lbe.keystore
cacert.pw=pAssW0rd

Where “pAssW0rd” is the password you set in response to keytool’s prompt when the keystore was first created.

Finally, I symlink the lbe.properties and keystore files to my personal .lbe directory (~/.lbe, see an earlier article on configuring this for LBE).

Once all this is in place, you should be able to fire up LBE and make an LDAPS connection to the server.