[Date Prev][Date Next] [Chronological] [Thread] [Top]

unknown CA

Hallo everybody,

I am trying to make openldap to talk TLS and started to face a problem which I am not able to explain.

1) I have created my CA:

openssl req -config <somefile> -x509 -new -days <some days> -out <CA_pubkey> -keyout <CA_privkey>

2) I have created cert. request

openssl req -config <somefile> -nodes -new -days <some days> -out <server_req_pubkey> -keyout <server_privkey>

3) I signed it

openssl ca -config <somefile> -in <server_req_pubkey> -out <server_pubkey>

in slapd.conf I defined

line 62 (TLSCipherSuite                 HIGH:MEDIUM)
line 63 (TLSCertificateFile /usr/local/openldap/etc/certs/server_pubkey.pem)
line 64 (TLSCertificateKeyFile /usr/local/openldap/etc/certs/server_privkey.pem)
line 65 (TLSCACertificateFile /usr/local/openldap/etc/certs/CA_pubkey.pem)

I start LDAP 

slapd -d -1 -h "ldaps://ecpmaint04:8002"

then

ldapsearch -H "ldaps://ecpmaint04:8002" -Z

and what I see is

on server side

TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1031

and on client side

ldap_start_tls: Can't contact LDAP server (81)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Do you know what means unknown CA? Does it mean that 

line 65 (TLSCACertificateFile /usr/local/openldap/etc/certs/CA_pubkey.pem)

is not really CA with which I have signed my

line 63 (TLSCertificateFile /usr/local/openldap/etc/certs/server_pubkey.pem)

Or is it something different?

Thanx a lot for help, Vadim Tarassov.

	-----------------------------------------------------------
	Vadim Tarassov
	e-Platform Solution Center
	mailto:vadim.tarassov@winterthur.ch
	Phone +41 52 261 73 22, Fax +41 52 261 46 40
	Mobile +41 076 380 51 26
	-----------------------------------------------------------
	Winterthur Insurance
	Paulstrasse 12
	CH-8401 Winterthur
	http://www.winterthur.com/ch
	-----------------------------------------------------------