[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Server Certificate Chain
Howard,
I have read that and I have set a bundle of my Root/Child CA included with
the TLSCACertificateFile directive.
My TLS configuration is as follows:
TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
TLSCACertificateFile /etc/ldap/cacert-bundle.pem
TLSCipherSuite HIGH:MEDIUM:+SSLV3
TLSVerifyClient never
Anyway if I do not include the Child CA certificate in the appropriate
stores at the client side the server certificate could not be verified.
I have tried to get some more info with openssl (openssl s_client -connect
hostname:636) and it returns that there are no client certificate CA names
sent.
Any suggestions?
~Cheers~
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Wednesday, April 18, 2007 11:38 PM
To: Krasimir Ganchev
Cc: openldap-software@openldap.org
Subject: Re: Server Certificate Chain
Read the Admin Guide, section 12.2.1.1.
Krasimir Ganchev wrote:
> Hello guys,
>
>
>
> I am using a globally recognized certificate with my openldap server
> which is issued by a Child CA trusted by the Root CA of my certificate
> provider. Is there any possible way to include the Child CA certificate
> within the server certificate chain?
>
>
>
> The thing is that I have couple of windows based clients using my
> openldap server and I can't make them verify the server certificate. The
> Root CA is included in the trusted Root CAs Windows store, but since the
> Child CA ain't there and doesn't appear in the certificate chain the
> clients could not verify the server certificate and give up with an
> error unless they are being configured to ignore errors.
>
>
>
> That's the reason why I would like to include the Child CA /Signing CA/
> certificate within the server certificate chain which will allow those
> clients to confirm server's certificate and its signing CA certificate
> against the trusted root CA.
>
>
>
> Is there any possible way to achieve that and is it up to configuration?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/