~Cheers~
On 4/18/07, *Kari Mattsson* <kari@trivore.com <mailto:kari@trivore.com>>
wrote:
Krasimir Ganchev wrote:
> Hello guys,
>
>
>
> I am using a globally recognized certificate with my openldap server
> which is issued by a Child CA trusted by the Root CA of my
> certificate provider. Is there any possible way to include the Child
> CA certificate within the server certificate chain?
I have file (on Linux) /etc/ssl/certs/trivore- ca-bundle.crt, which
looks
like
# The Trivore 4096 rootCA certificate:
-----BEGIN CERTIFICATE-----
MIIGhjCCBG6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJGSTEW
...deleted...
aumDU+F7CFlUMZllhTLmiAYN14j7chcClbHfREhopXPTtVb5EyJ6EQK+
-----END CERTIFICATE-----
# ...
# The Trivore 4096 CA 01 certificate:
-----BEGIN CERTIFICATE-----
MIIGqDCCBJCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGSTEW
...deleted...
Dyc4ZHUjqXz/n/CQjWBCwKPxF3fwci7UZuly9g==
-----END CERTIFICATE-----
..and then in the slapd.conf:
TLSCACertificateFile /etc/ssl/certs/trivore-ca-bundle.crt
TLSCertificateFile /etc/ssl/certs/hostname.crt
TLSCertificateKeyFile /etc/ssl/private/hostname.key
TLSCipherSuite HIGH
among other lines.
hostname.crt is created by CA01 during certification process.
Just having appropriate/relevant lines in ldap.conf makes the client
work nicely with the server.
Same goes, if you import the rootCA and subordinateCA (CA01) to your
Windows box. There is a separate slot on Windows for root and
intermediate/subordinate CAs. ...but that goes outside the scope of
this list.
> The thing is that I have couple of windows based clients using my
> openldap server and I can't make them verify the server certificate.
> The Root CA is included in the trusted Root CAs Windows store, but
> since the Child CA ain't there and doesn't appear in the certificate
> chain the clients could not verify the server certificate and give up
> with an error unless they are being configured to ignore errors.
>
>
>
> That's the reason why I would like to include the Child CA /Signing
> CA/ certificate within the server certificate chain which will allow
> those clients to confirm server's certificate and its signing CA
> certificate against the trusted root CA.
>
>
>
> Is there any possible way to achieve that and is it up to
> configuration?
>
>
>
> Any help is appreciated!
Did it help?
> All my best,
>
> Krasimir Ganchev
//Kari Mattsson