LDAP certificate publish

The gateway can be configured to automatically publish S/MIME certificates, generated by the built-in CA, to an external LDAP.

The LDAP publish script will try to lookup the DN for the user and if found, the certificate will be added to the user entry. If the user DN is not found by, the certificate will not be added unless add_dn_if_not_found is set.

Enabling LDAP certificate publish requires some configuration from the command line.


Login to the gateway console with SSH.


Windows users can for example use the free putty SSH cient.

Enable the service:

sudo ln -s /usr/share/djigzo-event/conf/spring/event-certificate-created.xml /usr/share/djigzo/conf/spring/spring.d/

Copy the default script to the directory from which scripts will be executed:

sudo cp  /usr/share/djigzo-event/scripts/event-certificate-created.sh /usr/share/djigzo/scripts/scripts.d/


The settings for the publish script, like for example the LDAP host, should be configured to match the companies LDAP.

The default settings can be overridden using the default file /etc/default/cm-event-certificate-created-settings.

sudo vi /etc/default/cm-event-certificate-created-settings

The following settings can be set:


This is the LDAP host to connect to. This is a require parameter and should be set to the companies LDAP server.

The format should be [SCHEME]://[FQDN]:[PORT] where [SCHEME] should be ldap or ldaps.



The DN of the LDAP tree to bind to.



The LDAP password.


The DN of the LDAP tree where the search for the user should start. The



The search scope can be used to limit the search. Select base, one, sub, or children to specify a base object, one-level, subtree, or children search. The default is sub.


Specify how aliases dereferencing is done. Should be one of never, always, search, or find. The default is never.


If set to true, the existing certificate will be deleted before importing the new certificate. The default is false.


If set to true, and the DN for the user is not found, a new DN will be created. The DN will be created at the configured ldap_base_dn with cn set to the email address of the user. The default is false.

example of the added LDAP entry:

dn: cn=test@example.com,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: test@example.com
sn: Unknown
mail: test@example.com
userCertificate;binary:: ...


At minimal, the following variables should be changed to match your LDAP server: ldap_uri, ldap_bind_dn, ldap_password and ldap_base_dn

Example settings

Example settings file for looking a certificate on certifikat.dk while excluding gmail.com and outlook.com:



Test whether the script can publish a certificate to the ldap server:


Testing requires a test certificate to be available on the command line. If no test certificate is available, a dummy test certificate can be generated with openssl

openssl req -newkey rsa:2048 -keyout test.key -nodes -subj "/CN=example.com" -out test.csr
openssl x509 -req -days 1825 -sha256 -in test.csr -signkey test.key -out test.cer
cat test.cer | /usr/share/djigzo/scripts/scripts.d/event-certificate-created.sh --email test@example.com

Note: Replace test@example.com with a valid email address for which the certificate should be published to LDAP.

If the publish was successful, the following output should be shown:

DN cn=test@example.com,ou=People,dc=example,dc=com found for email test@example.com
modifying entry "cn=test@example.com,ou=People,dc=example,dc=com"

modifying entry "cn=test@example.com,ou=People,dc=example,dc=com"

Certificate for test@example.com added to DN cn=test@example.com,ou=People,dc=example,dc=com

if the publish was not successul, the returned error message should provide more info. For example if the user DN was not found and if add_dn_if_not_found was not set the following error is reported:

DN for test@example.com not found


Restart back-end

sudo service djigzo restart

Now when the gateway generates a new certificate, the certificate will be published to LDAP.

Check the back-end log file to see whether the back-end starts without any problems:

tail -f /var/log/djigzo.log


Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.