I am trying to configure my application to access an LDAP server that is listening only on port 389 using the StartTLS extension for security. I want to get a copy of the SSL certificate so I can specify it as a known certificate (in a jssecacerts file, since my application is written in Java).
If it was running on port 636, I would use openssl like so:
openssl s_client -host myhost -port 636
and grab the certificate from the output.
My first though was to try using:
openssl s_client -host myhost -port 389 -starttls ...
but that doesn't support the LDAP version of starttls.
Then, I tried using ldapsearch with a high debug level:
ldapsearch -ZZ -h myhost -d99 ...
and I could see that the over-the-wire data includes the certificate, but it's not in a form that I know how to use.
Is there an easy way to get the certificate, either through command line tools or a short program? (I don't particularly care which language, but Java would be ideal)
A new revision of the well-known InstallCert program now supports STARTTLS for several protocols, LDAP included.
Just run it like this:
java -jar installcert-usn-20131123.jar host_name:389
and it will save the certificate for you in the jssecacerts keystore file in your JRE file tree, and also in the extracerts keystore file in your current directory. You can then use Java keytool to export the certificate(s) to other formats.
You are welcome to visit my blog page Yet another InstallCert for Java, now with STARTTLS support for download and instructions.