[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap config for netscape certificates? (real success ?)



Andy,

I' ve been able to import my certificate into Netscape from OpenLDAP, so it
seems I' ve worked it out correctly. Before saying "real success!", I have
to point out that apparently the reason why I was not able to import my
certificate into Netscape is that in the dn (distinguished name) part of the
certificate  there was not any e-mail attribute specified.

The wrong certificate was issued as belonging to a "subject's" dn like this:

"cn=tizi, ou=Pescheria, o=Consip SpA, c=IT"

I' ve issued a new certificate.  The certificate now belongs to the
following subject:

"e=ezio@hotmail.com, cn=tizi, ou=Pescheria, o=Consip SpA, c=IT"

and that worked fine!

So, it seems that Netscape acts like this when he has to import certificates
from Directory:

1) Search Directory for entries with "mail" attribute matching subject
e-mail

2) Get certificate from directory (if any)

3) Really import certificate if and only if  there is a matching e-mail
attribute in the subject's certificate

Now,  I do not know if this works fine for your environment too. I' ve
generated certificates with a tool (OSCAR CA).  I believe that if I use
certificates generated from Verisign or similar I'  ll never see the problem
we' re discussing, because those certificates ( I mean "official " ones,
from Verisign etc ..) do always have an e-mail address into the subject dn.

So, I' d be glad to hear your opinion on this matter, to decide whether what
I' ve found out is "the solution" or just a another little piece in the
puzzle.

Thanks for your attention.

P.S.

Norbert,
I' ve been able to get your certificate into Netscape from my OpenLDAP. Your
certificate contains e-mail in subject's dn as well.