Re: cetificate issue with ldaps

[Owen DeLong <owen@delong.com>]

Small correction:

TLS_CACERT must be the certificate from a ROOT Certificate Authority or
a Certificate Authority certification signed by a known parent CA.  CA
means "Certificate Authority".  There can be multiple levels of  
Certificate
authority.

Every certificate has an Issuer (Certificate Authority) which signed the
certificate, and, a Subject whose public key and other data is signed
by the CA.  If the certificate has the correct attributes, then, it  
can be
used to sign subordinate certificates.

A certificate which has the same issuer and subject is a ROOT  
certificate
because there is no parent certificate.

You might want to check if there is also a TLS_CACERTDIR directive
or similar which could still allow the client to locate the CA  
Certificate.

Owen

On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:

> > TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
> > TLS_REQCERT demand
> > My issue is that the ssl connexion still works if i comment  the  
> > line with
> > TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
> > and it should not because without this certificate authority my  
> > openldap
> proxy should not be able to >check the certificate sent by the  
> backend ldap.
> > TLS certificate verification: Error, self signed certificate in  
> > certificate
> chain
> > but it works with this error.
>
> You must have your root CA -> selfsigned after you create
> - CA and key for your LDAP server
> - CA anad key for client
>
> both  CA(client,server) you must sign by your CA root certificate
>
> pozdr
> rafal

Attachment: smime.p7s
Description: S/MIME cryptographic signature