Certificates

The certificates are in the name of ldap.rutgers.edu and ldap2.rutgers.edu. They are signed by the RULink Project CA. Anyone whose software checks certificates should load the certificate for the CA, not the individual certificate.

On Windows, the easiest way to load the CA's cert is to point Internet Explorer at https://ldap.rutgers.edu:636. In the popup, view certificate. Choose "Certification path". Click on rulink-ca. Click "view certificate". Install certificate. Make sure you are installing rulink-ca, the CA Root certificate, not the first certificate you come to.

However that approach works only for end users. It loads the certificate into a personal database that only applies to processes you personally run. If you're going to be running a service on your Windows system, you'll probably want to load the certificate into the computer's global database. These instructions were written on Windows XP, but I'm guessing they will work with minor changes on other recent versions.

1. Right click on RULink CA certificate, text format and save it to a file.
2. choose the "run" command from the "start" menu. Enter "mmc". That will give you the management console.
3. Pull down the "file" menu and choose "Add Snapin".
4. Hit the "add" button.
5. Choose "certificates".
6. Choose manage "computer account".
7. "Local computer".
8. Finish.
9. OK:
10. Now the management console will have the manage certificates widget; double click it.
11. Choose "trusted root certification authorities".
12. Choose, but don't double click, "certificates".
13. Pull down "Actions", choose "all actions", and then "import".
14. You're now in the cert import wizard; you'll import the certificate you saved in the first step.
15. It should say it is putting the certificate into the trusted root certificate authorities.
16. Once it is loaded, when you double-click "certificates" it should show you an alphabetical list of the root CA's. "rulink" should be in the list.

For operating systems other than Windows, you may need to load the CA Root certificate yourself. Here it is in several different forms:

• RULink CA, text format, as produced by openssl
• RULink CA, text format, but without the explanatory text
• RULink CA, appropriate for adding to ca-bundle.crt
• RULink CA, in der format. Netscape and IE will automatically load this into their cache when you click this link.

ca-bundle.crt is a file that seems to be present in some Linux distributions. It contains the certificates for all the standard CA's, in a single file. You can add ours at the beginning or end. (Order doesn't matter.) I've seen other installations of openssl where /usr/local/ssl/cert.pem is in the same format and needs the same change. To get PHP to access the server using SSL, you may need to modify /usr/local/etc/openldap/ldap.conf, and add the line

TLS_CACERT /usr/local/ssl/cert.pem

using the name of the file to which you added the certificate. In PHP, you'll want to use ldap_connect('ldaps://ldap.rutgers.edu:636').

For java applications, you will want to add the cert in DER format to Java's jre/lib/security/cacert. Here's a command:

$1/bin/keytool -import -alias rucert -file cacert.der \
-keystore $1/jre/lib/security/cacerts -storepass changeit

where $1 is the value of JAVA_HOME, more or less. This is complex because many systems have multiple copies of Java. You'll need to find the one used by your application.