LDAP search for certificates

Gateway
1

As LDAP search for certificates is currently not yet available in djigzo, I thought about implementing a workaround for me to have at least the certificates for my "well known" usergroup always up-to-date.

In my case, a simple bash script would connect to the djigzo database and read the list of users that are currently configured.
It would then conduct an ldap search using each users email address to receive the current certificate of that user. The users certificate in the database would be deleted, and the new certificate retrieved from LDAP will be imported.

Would that be possible, and which steps would be necessary to import the certificate into the database using psql?

Marek

···

--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

2

1. Importing a certificate

Directly importing a certificate into the database is not a trivial
task. The main reason this is not easy is because certain fields of the
certificate are extracted and stored in database fields for improved
searching, chain building etc. There are however different ways to
import a new certificate

a. Use a command line tool

Goto the Djigzo home dir (for example /usr/share/djigzo)

Use the following command to import a certificate from a file:

java -cp djigzo.jar mitm.application.djigzo.tools.manager.Manager -store
cert -cer CERTIFICATE-FILE

the CERTIFICATE-FILE can be a single certificate (.cer) or a bunch of
certificates (.p7b).

It's a very rudimentary tool and hasn't been updated for a while but it
works.

b. Use the SOAP interface

The Djigzo front-end (the GUI) only contains the GUI part and talks to
the back-end via SOAP. All 'hard' work is done by the back-end. If you
have a tool that can speak SOAP, you might be able to do everything via
SOAP calls. This however requires some more work because the SOAP
interface is not documented (although it's pretty straightforward).

2. deleting a certificate

Deleting a certificate is somewhat harder. The command line tool does
not allow you to delete a certificate so you should use SOAP for that or
use SQL commands to delete a certificate. It should be noted that it's
not always possible to delete a certificate. A certificate which is in
use cannot be deleted. A certificate is in use for example when it's
selected as a signing certificate or when it's explicitly selected (for
example as a domain certificate).

Is there a particular reason you want to delete a certificate? a
certificate which is expired is no longer valid and therefore no longer
used.

3. getting a list of all users

You can either use SOAP or direct SQL commands to get a list of users.

Kind regards,

Martijn Brinkers

···

On 07/27/2011 04:31 PM, Marek Kreul wrote:

As LDAP search for certificates is currently not yet available in djigzo, I thought about implementing a workaround for me to have at least the certificates for my "well known" usergroup always up-to-date.

In my case, a simple bash script would connect to the djigzo database and read the list of users that are currently configured.
It would then conduct an ldap search using each users email address to receive the current certificate of that user. The users certificate in the database would be deleted, and the new certificate retrieved from LDAP will be imported.

Would that be possible, and which steps would be necessary to import the certificate into the database using psql?

--
Djigzo open source email encryption