Re: OpenLDAP 2.1.3 TLS: self signed certificate

["Peter A. Savitch" <spam4octan@highway.ru>]

Hello Alan,

Tuesday, July 23, 2002, 4:33:36 AM, you wrote:

AS> Not really finding the answer to this in the archives, so...

AS> I have a server certificate I've signed with my CA certificate, everything
AS> stored in PEM format.  The certs work OK on my Apache mod_ssl server.

AS> I've added the configuration:
AS> TLSCertificateFile      /opt/ldap/etc/denverops.quris.net.crt.pem
AS> TLSCertificateKeyFile   /opt/ldap/etc/denverops.quris.net.key.pem
AS> TLSCACertificateFile    /opt/apache/conf/ssl.crt/cacert.pem
AS> TLSVerifyClient         never

AS> Running slurpd in debug mode, ultimately I see:
AS> TLS certificate verification: depth: 1, err: 19, subject:
AS> /Email=sysadmin@quris.com/CN=Quris, Inc. Certificate Authority/O=Quris,
AS> Inc./C=US/L=Denver, issuer: /Email=sysadmin@quris.com/CN=Quris, Inc.
AS> Certificate Authority/O=Quris, Inc./C=US/L=Denver
AS> TLS certificate verification: Error, self signed certificate in
AS> certificate chain

AS> What's wrong with a self-signed certificate?

Well, I guess nothing's wrong ;-) As long as slurpd concidered
`client', it's settings are in ldap.conf(5), not slapd.conf(5).
You should inform slurpd about your self-signed CA with TLS_CACERT.
Did You do that? And don't forget about the other TLS-related
ldap.conf options.

bye

-- 
Best regards,
 Peter                            mailto:spam4octan@highway.ru