[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server Certificate Chain

To: Krasimir Ganchev <ganchevk@gmail.com>
Subject: Re: Server Certificate Chain
From: Kari Mattsson <kari@trivore.com>
Date: Wed, 18 Apr 2007 23:18:12 +0300
Cc: openldap-software@openldap.org
In-reply-to: <b0119db20704180857i8ca8ee2o1d94b15cd12c6b46@mail.gmail.com>
Organization: Trivore Corp.
References: <b0119db20704180857i8ca8ee2o1d94b15cd12c6b46@mail.gmail.com>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Krasimir Ganchev wrote:

Hello guys,

I am using a globally recognized certificate with my openldap server
 which is issued by a Child CA trusted by the Root CA of my
certificate provider. Is there any possible way to include the Child
CA certificate within the server certificate chain?


I have file (on Linux) /etc/ssl/certs/trivore-ca-bundle.crt, which looks
like

# The Trivore 4096 rootCA certificate:
-----BEGIN CERTIFICATE-----
MIIGhjCCBG6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJGSTEW
...deleted...
aumDU+F7CFlUMZllhTLmiAYN14j7chcClbHfREhopXPTtVb5EyJ6EQK+
-----END CERTIFICATE-----
# ...
# The Trivore 4096 CA 01 certificate:
-----BEGIN CERTIFICATE-----
MIIGqDCCBJCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGSTEW
...deleted...
Dyc4ZHUjqXz/n/CQjWBCwKPxF3fwci7UZuly9g==
-----END CERTIFICATE-----

..and then in the slapd.conf:

TLSCACertificateFile /etc/ssl/certs/trivore-ca-bundle.crt
TLSCertificateFile /etc/ssl/certs/hostname.crt
TLSCertificateKeyFile /etc/ssl/private/hostname.key
TLSCipherSuite HIGH

among other lines.

hostname.crt is created by CA01 during certification process.

Just having appropriate/relevant lines in ldap.conf makes the client work nicely with the server.

Same goes, if you import the rootCA and subordinateCA (CA01) to your Windows box. There is a separate slot on Windows for root and intermediate/subordinate CAs. ...but that goes outside the scope of this list.

The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing
CA/ certificate within the server certificate chain which will allow
those clients to confirm server's certificate and its signing CA
certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to
configuration?
Any help is appreciated!


Did it help?

All my best,
Krasimir Ganchev


//Kari Mattsson

Follow-Ups:
- Re: Server Certificate Chain
  - From: "Krasimir Ganchev" <ganchevk@gmail.com>

References:
- Server Certificate Chain
  - From: "Krasimir Ganchev" <ganchevk@gmail.com>

Prev by Date: no TLS connections
Next by Date: Re: no TLS connections
Index(es):
- Chronological
- Thread