Information Technology at JPL

Directory and Authentication Service

JPL IT - Directory and Authentication Service

JPL Directory Service Certificate Authority (CA)

The JPL Directory Service uses Secured Socket Layer (SSL) certificates issued from DigiCert Inc. The SSL certificates provide the ability to connect to the JPL Directory service over a secure LDAP connection by either SSL or TLS. All authentications, or BINDS, to the Directory service, require the use of secure LDAP connections...

When a client connects to the server using SSL or TLS, the server returns a certificate declaring who it is. During the validation process, the client uses the CA (Certificate Authority) certificate to chain the server back to the issuer (DigiCert). This allows the trust and successfully establishes a secure LDAP connection with the server.

The Directory service administrator will perform such maintenance to update the SSL server certificates no later than 6 months prior to the certificate's expiration. There may be occasions that DigiCert will issue new SSL server certificates that will require from them a new CA certificate or an Intermediate CA certificate, to complete its chain. When this occurs, the Directory service administrator must update the Directory servers to the latest CA certificate/Intermediate CA certificate set in its configuration database of CAs. Likewise, it is the responsibility of the administrator of client(s) to the Directory Service, to keep their systems or applications current with these CA/Intermediate CA certificates.

The latest of the Directory server SSL server certificate updates were completed by June 1, 2015 signed by DigiCert using their newer Intermediate CA to issue SHA-2 server certificates with 256 bit encryption along with 2048 bit CA certificate, supported with RC4-MD5 cipher suites.

With the CA trust updated on the system, the following syntax is an example of a common secure ldapsearch run from a Linux workstation. Note that there is a variety of ldapsearch binaries but it must contain the option(s) to be able to make secure connections for this example to work.

$ ldapsearch -h ldap.jpl.nasa.gov -Z -x -b ou=personnel,dc=dir,dc=jpl,dc=nasa,dc=gov uid=tmberry dn

Additional Information

  • Obtain the DigiCert Root/Intermediate CA certificates currently in use by the ldap server with the following OpenSSL query:

    $ echo | openssl s_client -showcerts -connect ldap.jpl.nasa.gov:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

  • For direct information on DigiCert certificates, visit the DigiCert site at:
  • Secure client code examples can be fount at: Certificate Authority Examples

  • Developer code examples can be found at Directory Code Examples for Developers

  • The Directory servers' SSL server certificate from DigiCert were obtained using JPLIT's SSL certificates at https://ssl.jpl.nasa.gov .

https://dir.jpl.nasa.gov/certificates/index.php