[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Server Certificate Chain

To: <openldap-software@openldap.org>
Subject: RE: Server Certificate Chain
From: "Krasimir Ganchev" <ganchevk@gmail.com>
Date: Thu, 19 Apr 2007 00:13:36 +0300
In-reply-to: <46268194.6090504@symas.com>
References: <b0119db20704180857i8ca8ee2o1d94b15cd12c6b46@mail.gmail.com> <46268194.6090504@symas.com>
Thread-index: AceB+Wjk//JqlVfLS+6cLvXm0tDGsgAAk9Og

Howard,

I have read that and I have set a bundle of my Root/Child CA included with
the TLSCACertificateFile directive.

My TLS configuration is as follows:

TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
TLSCACertificateFile /etc/ldap/cacert-bundle.pem
TLSCipherSuite HIGH:MEDIUM:+SSLV3
TLSVerifyClient never

Anyway if I do not include the Child CA certificate in the appropriate
stores at the client side the server certificate could not be verified.

I have tried to get some more info with openssl (openssl s_client -connect
hostname:636) and it returns that there are no client certificate CA names
sent.

Any suggestions?

~Cheers~

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Wednesday, April 18, 2007 11:38 PM
To: Krasimir Ganchev
Cc: openldap-software@openldap.org
Subject: Re: Server Certificate Chain

Read the Admin Guide, section 12.2.1.1.

Krasimir Ganchev wrote:
> Hello guys,
> 
>  
> 
> I am using a globally recognized certificate with my openldap server 
> which is issued by a Child CA trusted by the Root CA of my certificate 
> provider. Is there any possible way to include the Child CA certificate 
> within the server certificate chain?
> 
>  
> 
> The thing is that I have couple of windows based clients using my 
> openldap server and I can't make them verify the server certificate. The 
> Root CA is included in the trusted Root CAs Windows store, but since the 
> Child CA ain't there and doesn't appear in the certificate chain the 
> clients could not verify the server certificate and give up with an 
> error unless they are being configured to ignore errors.
> 
>  
> 
> That's the reason why I would like to include the Child CA /Signing CA/ 
> certificate within the server certificate chain which will allow those 
> clients to confirm server's certificate and its signing CA certificate 
> against the trusted root CA.
> 
>  
> 
> Is there any possible way to achieve that and is it up to configuration?


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- RE: Server Certificate Chain
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>

References:
- Server Certificate Chain
  - From: "Krasimir Ganchev" <ganchevk@gmail.com>
- Re: Server Certificate Chain
  - From: Howard Chu <hyc@symas.com>

Prev by Date: OpenLDAP 2.3.x on RHEL 5 or Centos 5?
Next by Date: Re: Syncrepl-Consumer deletes entries
Index(es):
- Chronological
- Thread