[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using "keytool" to create security certificates for OpenLDAP
Safdar Kureishy wrote:
1) I'm on a Windows machine,
So sorry.
and in the OpenLDAP installation
directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
related files.
Personally, I wouldn't trust the certs unless you put them there or know
who did.
Could you tell me which is which, and which I should
add to the truststore on the client?
- serverkey.pem
As it says, the server's key file. Keep this one private through very
limited permissions.
- server.pem
The server cert. This is expressed in the handshake.
- CA.pem
Put this one in the client truststore. This is the certificate for your
local Certificate Authority. Like Verisign or Thawte, only much cheaper
and not universally known or accepted.
- cakey.pem
You should probably keep this one pretty private as well.
- ca.srl
You've heard of google, right? I actually wasn't familiar with this file
extension, but a twenty second google search on 'ssl .srl' got me this
pat explanation:
"The content of file.srl is a two digit number. eg. 00; it's incremented
when the CA issues a certificate"
2) I actually tried adding "server.pem" to my client's truststore
using keytool, and it seems that it got added (it gets listed with the
-list option)
So now you at least know for a fact you can import .pem format files
into Java stores.
but when I do the following with JLDAP to conenct to
the OpenLDAP server, I get an LDAPException with a root message:
"sun.security.validator.ValidatorException: No trusted certificate
found".
The client gets this cert anyway in the handshake; it doesn't belong in
the truststore (you are confusing keystores and truststores). In other
words, the reason you're told the server's cert isn't *trusted* is that
the JRE doesn't recognize the certificate authority from whence it came.
That's why you need your local CA certificate in the client's CA truststore.
Jon Roberts
www.mentata.com