{"description": "Create the PKI directory for LDAP certificates if it does not already exist:\n<pre>$ sudo mkdir /etc/pki/tls/ldap\n$ sudo chown root:root /etc/pki/tls/ldap\n$ sudo chmod 755 /etc/pki/tls/ldap</pre>\nUsing removable media or some other secure transmission format, install the certificate files\nonto the LDAP server:\n<ul>\n<li><tt>/etc/pki/tls/ldap/serverkey.pem</tt>: the private key <tt>ldapserverkey.pem</tt></li>\n<li><tt>/etc/pki/tls/ldap/servercert.pem</tt>: the certificate file <tt>ldapservercert.pem</tt></li>\n</ul>\nVerify the ownership and permissions of these files:\n<pre>$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem\n$ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem\n$ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem\n$ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem</pre>\nVerify that the CA's public certificate file has been installed as\n<tt>/etc/pki/tls/CA/cacert.pem</tt>, and has the correct permissions:\n<pre>$ sudo mkdir /etc/pki/tls/CA\n$ sudo chown root:root /etc/pki/tls/CA/cacert.pem\n$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</pre>\n\nAs a result of these steps, the LDAP server will have access to its own private\ncertificate and the key with which that certificate is encrypted, and to the\npublic certificate file belonging to the CA. Note that it would be possible for\nthe key to be protected further, so that processes running as ldap could not\nread it. If this were done, the LDAP server process would need to be restarted\nmanually whenever the server rebooted.", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": {}, "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Install and Protect LDAP Certificate Files", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ldap/openldap_server/ldap_server_config_certificate_files/group.yml"}