Linux Commands to Check for MCommunity eDirectory Certificates

New Certificate Authority (CA) certificates for the MCommunity eDirectory environments will be implemented on April 29, 2018. Any certificates issued by the old CA will become immediately invalid at that time. This may affect a small number of systems that make specially configured LDAP connections to MCommunity environments. This document lists the Linux commands to check for a matching certificate fingerprint on a Java keystore.

Most systems unaffected. The majority of systems that use LDAP to search MCommunity will be unaffected by this change. This is because systems making a connection to ldap.umich.edu use an InCommon-provided certificate that is accepted by most clients automatically.

A few systems need a new certificate. Systems that will need a new certificate are those that:

  • Make LDAP connections using Certificate Mutual Authentication.
  • Connect to a specific eDirectory server by name.

Identify these systems by checking for references to a file named MCOMMUNITY_CA.pem or MCOMMUNITY-LDAP_CA.pem in the LDAP connection configuration. These systems will need the new CA's public certificate on their server in order to trust any non-InCommon certificate presented by the eDirectory servers when an LDAP connection is initiated.

Find MCommunity Prod Certificates

keytool -list -keystore /path/to/keystore.jks | grep
D6:A0:C9:92:D0:45:87:B4:70:11:A5:26:10:2E:D5:0E:1B:01:DC:1E

keytool -list -keystore /path/to/keystore.jks | grep
D4:C3:BA:18:1F:2E:DA:2F:5D:46:1E:98:01:72:02:FA:9F:9C:6E:24

Find MCommunity QA Certificates

keytool -list -keystore /path/to/keystore.jks | grep
DB:41:88:04:08:5D:EC:1B:C4:30:5E:F6:DF:AB:22:6D:66:E0:0F:34

keytool -list -keystore /path/to/keystore.jks | grep
61:F5:09:0A:9D:F9:79:51:5E:35:1C:A6:DE:E0:B9:81:62:2D:5E:36

Last Updated: 
Thursday, March 8, 2018