Certificate Manager und LDAP

CM (DM) and LDAP - General


In the following is described, in a question and answer format, how Certificate Manager can communicate over LDAP with different brands of Directory servers in different PKI scenarios. The scenarios and associated schemas are described in SmartTrust Certificate Manager Technical Description.

What is Certificate Manager?

Certificate Manager is a Certification Authority (CA) product and enables the distribution of cryptographic keys and digital certificates. CM consists of separate components that may be installed on different server and client machines.

What is Distribution Manager?

Distribution Manager is a subsystem of CM whose task is to publish userCertificates, cACertificates, certificateRevocationLists and other attributes over LDAP to a directory. DM is a specialized LDAP client that can be configured in many different ways, depending on the requirements of the directory.

What are Directory Services?

Directories are specialised databases that are designed for quick and easy look up of information. Directory services provide access to data in a manner that relies on the organisation of the attributes of specific information.

CM (DM) and LDAP - Common Questions

  • What requirements does CM have on the directory?
CM does not have any special requirements other than the Directory server must be compliant with LDAP v3. From the CM's point of view the Directory is just a repository where Distribution Manager can put information such as certificates and CRLs?.
  • Which type of information can DM publish?
DM can publish certificates and CRLs?. Additional attributes can be extracted from certificates or CRLs? and published to the Directory as separate Directory attributes.
  • What is the recommended Directory configuration ?
That depends entirely on the kind of service you intend to provide. The requirements on the Directory server are generally defined by the client application that will search the Directory for information. One special characteristic of directories (compared to general-purpose relational databases) is that they are accessed (read or searched) much more often than they are updated (written to).
  • Can DM publish to Microsoft Active Directory?
Yes, DM can meet the requirements set by AD. (See the scenarios in SmartTrust Certificate Manager Technical Description [2])
AD stores CRLs? in the objectClass �cRLDistributionPoint� and userCertificates in the objectClass �user + organizationalPerson + person�.
  • Can DM publish information to any place in the Directory tree?
Yes, the information is stored either by adding a new entry to the Directory or by modifying an existing entry. The DN of the entry is determined by the configuration in the �Distribution Rule�. The construction of the DN can contain extended information from the certificate/CRL itself as well as fixed values.
  • Can the Directory tree have a different structure to the DN in the certificate/CRL?
Yes, the DN of an entry holding the certificate does not necessarily have to reflect the naming of the certificate holder (Subject DN).
  • Can DM add any type of object class to the Directory ?
Yes, on condition that the DM can extract enough information from the certificate so that all mandatory Directory attributes are present (otherwise the Directory will not complete the operation).
  • What does DM require to add an entry to the Directory?
Three items must be in place:
1. The object class DM is expected to add
2. All mandatory attributes for the requested object class
3. The DN (�path�) to the location where the entry should be added.
  • What is needed for DM to add or replace an attribute in an existing entry?
The DN (�path�) to the entry and the LDAP attribute name.
  • Can DM be configured to use a different LDAP attribute than the certificate attribute?
Yes, there is no "binding" connection between the certificate attributes that DM extracts from the certificate and the LDAP attribute name DM will use when the LDAP attribute is published. This technique can be used, for instance, when you want publish "non-LDAPstandardised" certificate information such as �certificateserialnumber�.
  • Which are the recommended object classes for storing CRLs? and Certificates?
The general recommendation is to use standardised object classes and attributes as far as possible.
Commonly used object classes for CRLs? are
  • cRLDistributionPoint,
  • pkiCA
  • eidCertificationAuthority.
Commonly used object classes for Cacertificates are
  • certificationAuthority,
  • pkiCA
  • eidCertificationAuthority.
Commonly used object classes for userCertificates are
  • inetOrgPerson,
  • pkiUser
  • eidCertificate.

(:historyback:) Attach:arrowup.gif Δ