[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
From: Florin Angelescu <fangelescu@caami-hziv.fgov.be>
Date: Thu, 25 Nov 2004 14:01:21 +0000
Cc: OpenLDAP-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <m3k6sads9w.fsf@marin.l4b.de>
Organization: CAAMI
References: <A04B6AE6ED3BD742B64D5B17093F64E2910610@IMSSGPX01.ims.mhm.mhc> <200411251307.22587.fangelescu@caami-hziv.fgov.be> <m3k6sads9w.fsf@marin.l4b.de>
User-agent: KMail/1.7.1

On Thursday 25 November 2004 12:31, you wrote:
> Florin Angelescu <fangelescu@caami-hziv.fgov.be> writes:
> > On Thursday 25 November 2004 11:32, you wrote:
> >> Hello,
> >>
> >> You must have signed a cert with the wrong ca, check all your
> >> certificats with
> >>
> >> openssl x509 -in certificate.pem -text
> >>
> >> in particular check the keyid, which must be identical in the key
> >> chain.
> >
> > well, i have only 1 CA .... (i used CA.sh -newcert)
> > and the servercert is signed by my CA
> >
> >
> > openssl x509 -in servercert.pem -text
> > Certificate:
> >     Data:
> >         Version: 3 (0x2)
> >         Serial Number: 1 (0x1)
> >         Signature Algorithm: md5WithRSAEncryption
> >         Issuer: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI_CA, OU=CCI,
> > CN=CAAMI_CA/emailAddress=fangelescu@caami-hziv.fgov.be
> >         Validity
> >             Not Before: Nov 25 08:32:09 2004 GMT
> >             Not After : Nov 25 08:32:09 2005 GMT
> >         Subject: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI-HZIV, OU=CCI,
> > CN=ldap.caami-hziv.fgov.be/emailAddress=ldapserver@caami-hziv.fgov.be
> >         Subject Public Key Info:
> >             Public Key Algorithm: rsaEncryption
> >             RSA Public Key: (2048 bit)
>
> I have have been referring to keyid.
>
>  X509v3 Authority Key Identifier:
>    keyid:86:5C:19:86:4E:EE:0B:DC:A2:99:56:95:B3:7B:90:FD:21:4E:F4:BC
>
> This keyid must be identical in your whole key chain.
>
> -Dieter
they are the same

for the CA
================
X509v3 Authority Key Identifier:
                keyid:2C:D8:6F:5E:79:97:0D:EE:3E:9F:47:CC:1B:AE:A2:5E:B3:D1:6A:EC
                DirName:/C=BE/ST=BELGIUM/L=BRUSSELS/O=CAAMI_CA/OU=CCI/CN=CAAMI_CA/emailAddress=fangelescu@caami-hziv.fgov.be
                .......

            X509v3 Basic Constraints:
                CA:TRUE
-------------------------------------

for the Server
=====================
andX509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            
  .......
            X509v3 Authority Key Identifier:
                keyid:2C:D8:6F:5E:79:97:0D:EE:3E:9F:47:CC:1B:AE:A2:5E:B3:D1:6A:EC
                DirName:/C=BE/ST=BELGIUM/L=BRUSSELS/O=CAAMI_CA/OU=CCI/CN=CAAMI_CA/emailAddress=fangelescu@caami-hziv.fgov.be

References:
- Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
  - From: Florin Angelescu <fangelescu@caami-hziv.fgov.be>
- Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Is the Redhat's openldap distribution broken?
Next by Date: RE: openldap 2.1.30 + gentoo +ssl [self signed problem again]
Index(es):
- Chronological
- Thread