Provide CA certificates for HTTPS and LDAPS in the system store

LDAP UserIdResolver Can be addressed with ldaps or StartTLS via SSL. For this LinOTP must check the validity and trustworthiness of the certificate. It is necessary that the LinOTP has the CA-Cert with complete chain available.

This can be done on two levels:

  1. The complete chain is inserted in the UserIdResolver configuration in the field provided (copy and paste). The certificate is first transferred to the configuration database of LinOTP and loaded into /etc/linotp2/data with the first use. From there it is then used.
  2. Alternatively and not simultaneously, the certificate can also be stored in the system store of the operating system.

The evaluation of the certificates prioritizes the certificates that are located in /etc/linotp2/data (at point 1) and originate from the database.


Unfortunately the handling of certificate chains in the UserIdResolver itself is unreliable, because it is not directly and immediately effective.

Especially if the exchange of certificates is to be carried out. The certificates should be used directly in the operating system.

Certificate chains for UserIdResolvers on OS level

Providing the CA_Certificate

  • the certificate exported from the Windows PKI must be converted to the PEM form. Details can be found at the end of the Howto.
  • store certificates in PEM format to /usr/local/share/ca-certificates/ - they should end on .crt
  • regenerate certificate store

All ldap clients use the System store

  • Change /etc/ldap/ldap.conf to use system certificates

    First change 'mako' in /etc/lseappliance/config-templates

This is an auto generated file, generated by LinOTP Appliance.
# Please do not edit.
# Rather edit the template etc-ldap-ldap.conf.mako
# This file defines the LDAP defaults
## Destination: /etc/ldap/ldap.conf
## Before:
## After: radius
## Data: radius
## Priority: 80
# Don't follow referrals returned by the LDAP server when using
# RADIUS forwarding.
# UserIdResolver Ca-Cert Filename ca-certificates.crt
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Regenerate config -c generate_config -o ALL

Create/Edit UserIdResolver

Use ldaps or startTLS and leave certificate field empty.


If the certificate was removed from the field when editing the UserIdResolver, the old certificate may still be used.

Delete the contents of the directory /etc/linotp2/data/ and then restart apache.

cd /etc/linotp2/data
rm *
systemctl restart apache2.service

Converting PKCS#7 from the Windows PKI

You have to install the certificate separately on all LinOTP's it's not covered by redundancy to have the full chain in the Windows-CA use the PKCS#7 format there you can check a box where you can include the full chain (coming from the sub-ca) commands to convert the PKCS#7 in linotp:

openssl pkcs7 -inform der -in ca-chain.p7b -out ca-chain.cer
openssl pkcs7 -print_certs -in ca-chain.cer -out ca-chain.crt
openssl x509 -text -noout -in ca-chain.crt