[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate



On Mon, 5 Sep 2005, Howard Chu wrote:

> Date: Mon, 05 Sep 2005 03:29:23 -0700
> From: Howard Chu <hyc@symas.com>
> To: Villy Kruse <vek@pharmapartners.nl>
> Cc: Kurt D. Zeilenga <Kurt@OpenLDAP.org>, Peter Marschall <peter@adpm.de>,
>     James Wilde <james_wilde@glocalnet.com>,
>     openldap-software@OpenLDAP.org
> Subject: Re: Problem verifying self signed certificate
>
> Villy Kruse wrote:
> > On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote:
> >
> > > At 08:45 AM 9/4/2005, Peter Marschall wrote:
> > >
> > > > AFAIK this is expected behaviour as you cannot use a self-signed server
> > > > certificate with openLDAP.
> > > >
> > > Have you examined the certificate at ldap.openldap.org?
> > > It's a self-signed certificate.
> > A self signed certificate cannot be verified.  For that you will need
> > the certificate to be signed by a trusted CA.  However, a selfsigned
> > certificate can be used to establish an encrypted connection.
> >
> I don't believe that statement helps in any way to clarify the situation. A
> cert that is signed by a trusted CA is by definition *not* a self-signed cert.
>

And the fact that the web site for https://www.openldap.org have a self signed
certificate isn't very relevant either.  The client (the web browser) should
complain, but usualy the user is allowed to trust the certificate.

> Note (again, and again, and again...) that "self-signed" does not mean "a
> certificate that I created by myself." It means "a certificate that was not
> signed by a separate certificate authority."
>

I wouldn't use that word in any other meaning.  Perhaps the word was
used in a different meaning in the Subject line; I didn't think about that.

Villy