[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate

To: Villy Kruse <vek@pharmapartners.nl>
Subject: Re: Problem verifying self signed certificate
From: Howard Chu <hyc@symas.com>
Date: Mon, 05 Sep 2005 03:29:23 -0700
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Peter Marschall <peter@adpm.de>, James Wilde <james_wilde@glocalnet.com>, openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.58.0509050856310.635@station02.ohout.pharmapartners.nl>
References: <5F6B0055276D6E4881966897D19A45E201C7D401@brimo.glocalnet.com> <200509041745.30804.peter@adpm.de> <6.2.1.2.0.20050904102904.0586d688@mail.openldap.org> <Pine.LNX.4.58.0509050856310.635@station02.ohout.pharmapartners.nl>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050829 SeaMonkey/1.1a

Villy Kruse wrote:

On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote:
At 08:45 AM 9/4/2005, Peter Marschall wrote:
AFAIK this is expected behaviour as you cannot use a self-signed server certificate with openLDAP.
Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.
A self signed certificate cannot be verified. For that you will need the certificate to be signed by a trusted CA. However, a selfsigned certificate can be used to establish an encrypted connection.

I don't believe that statement helps in any way to clarify the situation. A cert that is signed by a trusted CA is by definition *not* a self-signed cert.

Note (again, and again, and again...) that "self-signed" does not mean "a certificate that I created by myself." It means "a certificate that was not signed by a separate certificate authority."

Ultimately every chain of trusted certs leads back to a self-signed cert, because no matter how many CAs are in the chain, ultimately there's a root level that has no superior to sign for it. That root level cert is necessarily self-signed. The point is that any client and server must be explicitly configured to trust a particular self-signed cert. For the OpenLDAP client that means you point the TLS_CACERT directive (see ldap.conf(5)) at a PEM file containing the self-signed cert. For the slapd server you use the corresponding TLSCACertificateFile directive. You must use these configuration directives if you want to accept a self-signed cert.

OpenLDAP works fine with certificates you create yourself. Whether you use a single self-signed cert for the server, or you create a self-signed CA cert and then use that to create and sign separate server certs doesn't matter; the code will work either way. But whichever way you choose, the cert you create that is self-signed *must* be configured on all of the clients and servers. That's true whether you create the certs, or whether you buy them from a commercial cert vendor. (Obviously for a vendor-supplied cert, you configure the vendor's CA cert.)

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: Problem verifying self signed certificate
  - From: Villy Kruse <vek@pharmapartners.nl>

References:
- Problem verifying self signed certificate
  - From: "James Wilde" <james_wilde@glocalnet.com>
- Re: Problem verifying self signed certificate
  - From: Peter Marschall <peter@adpm.de>
- Re: Problem verifying self signed certificate
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Problem verifying self signed certificate
  - From: Villy Kruse <vek@pharmapartners.nl>

Prev by Date: Re: Question pertaining to PPolicy overlay feature
Next by Date: RE: Problem verifying self signed certificate
Index(es):
- Chronological
- Thread