[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL client certificate question and bdb_dn2id_matched question



tir, 2003-01-14 kl. 14:21 skrev Simon Liebold:

> > The procedure for making a certificate signed by your own CA is:
> > 
> > 1: Make the CA cert. This you will use for signing;
> 
> I have found this http://www.linux-mag.com/2002-03/guru_02.html and this
> http://www.openldap.org/lists/openldap-software/200109/msg00745.html
> They are using self-signed certificates. I have created them this way. I
> also have choosen the right "cn" for the certificate. But nothing
> changed. :-( 

According to the docs I have, amongst many others:

http://www.mandrakesecure.net/en/docs/ldap-auth.php

you should be able to use a self-signed certificate. But it's a lousy
idea, since all clients will then have access to your server's private
key (in as much as everything's combined in one certificate), and can
thus impersonate it. Which completely destroys the whole concept of
security. So why use SSL at all?

> Do self-signed certificates just work on hosts they were issued for?

That's the general idea.

> I will try the CA-signature tomorrow. Where does the client
> (ldapsearch) expect the CA-Cert?

Wherever you tell it to in /etc/ldap.conf, ldapc or ~/.ldaprc.

Ju!

Best,

Tony




-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl