[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)
- To: <gmatt@nerc.ac.uk>
- Subject: RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)
- From: "Tay, Gary" <Gary_Tay@platts.com>
- Date: Thu, 16 Sep 2004 17:05:16 +0800
- Cc: "openldap" <openldap-software@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcSbxiLjQgJu7PLrQ3qWadCwb0gxoQAAaM4w
- Thread-topic: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)
Thank you very much for pointing up my confusion. I am sorry when I
wrote rubbish I might further confuse many of us.
Very sorry in my last mail I had mistaken and confused CA Cert and
Server Cert, in my case the file cacert.pem at ALL LDAP Clinets contain
TWO CA Certs (demoCA) I created using guidance from
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html, one created
at the MASTER LDAP, the other at the SLAVE.
I put TWO CA Certs into cacert.pem at ALL LDAP Clients, and tested the
MASTER to SLAP failover works
BUT
I put ONE CA Cert (the demoCA created) at MASTER and SLAVE LDAP Server
Allow me to show portion of "man ldap.conf" (from 2.2.15 TLS_CACERT is
there, but they ARE MISSING in 2.2.13), I follow the notes here and PUT
TWO CA Certs in cacert.pem at LDAP client
===
TLS_CACERT <filename>
Specifies the file that contains certificates for all
of the Certificate Authorities the client will recog-
nize.
===
As the above said certificate(s), I don't understand why do u say _one_
CA (cert?), do u mean _one_ CA cert(for self-signing Server Cert CSR) at
EACH LDAP Server? If yes I did not contradict this as I put ONE CA Cert
(the demoCA created) in cacert.pem of LDAP Server.
Rgds
Gary
-----Original Message-----
From: Greg Matthews [mailto:gmatt@nerc.ac.uk]
Sent: Thursday, September 16, 2004 4:21 PM
To: Tay, Gary
Cc: openldap
Subject: RE: Multi-homed machine and TLS
whether you paid for certs or not is irrelevant - the process is the
same. You create _one_ CA (using openssl if you wish) which you use to
sign cert requests for each server. the client then needs _one_ copy of
the CA certificate to verify each of the server certs.
I dont mean to be rude but this is fundamental stuff. I admit it can be
a bit confusing when starting out but you should make sure you
understand this stuff or take it to a relevant mailing list.
GREG
On Wed, 2004-09-15 at 19:19, Tay, Gary wrote:
> Again, if I am not wrong, let me clarify:
>
> The two certs in my cacert.pem at my LDAP clients are neither Server
> cert or CA certs, they are "Server Certs Self-Signed by a CA Cert
> generated at the server". The file name happened to be named
> "cacert.pem", one can call it anything.
>
> I did not send any server cert to valid CA and paid for the signing
> service. Most testing systems use self signed certs.
>
--
Greg Matthews
iTSS Wallingford 01491 692445