I have an Ubuntu LDAP server, with STARTTLS using a self-signed certificate (following these instructions).
When setting up a CentOS client (following these instructions), the authconfig-tui command asks me for the certificate in PEM format:
│ To connect to a LDAP server with TLS │ │ protocol enabled you need a CA certificate │ │ which signed your server's certificate. │ │ Copy the certificate in the PEM format to │ │ the '/etc/openldap/cacerts' directory. │ │ Then press OK. │
How do I get the certificate in PEM format? I found these command, but the /etc/dirsrv/ folder does not even exist on my ubuntu system.
certutil -L -d /etc/dirsrv/slapd-SOMETHING certutil -L -d /etc/dirsrv/slapd-SOMETHING -n "SOMETHING_ELSE" -a > cacert.asc
I have also seen the command certutil -L -d /etc/openldap/certs, which gives me this error message (I have also tried with /etc/ssl/certs):
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Note that for obvious reasons, I would like to export only the public part of the certificate, not the private part (being used to the easy-to-recognize SSH keys, where id_rsa is private and id_rsa.pub is public, I always find it difficult to know if a certificate I exported is public or private…)
If you follow the instructions you linked to, then you've got the certificate in PEM format already. From these instructions:
Create the self-signed CA certificate:
sudo certtool --generate-self-signed \
--load-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ca.info \
--outfile /etc/ssl/certs/cacert.pem
The certificate is /etc/ssl/certs/cacert.pem and it is in PEM format.
...I would like to export only the public part of the certificate, not the private part
A certificate (cacert.pem) contains only the public key. The private key (cakey.pem) is not included in the certificate.