[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server Certificate Chain

To: Krasimir Ganchev <ganchevk@gmail.com>
Subject: Re: Server Certificate Chain
From: Kari Mattsson <kari.mattsson@trivore.com>
Date: Thu, 19 Apr 2007 19:55:51 +0300
Cc: openldap-software@openldap.org
In-reply-to: <b0119db20704181341g4e241f57qb1784a6c035922c1@mail.gmail.com>
Organization: Trivore Corp.
References: <b0119db20704180857i8ca8ee2o1d94b15cd12c6b46@mail.gmail.com> <46267D04.6040109@trivore.com> <b0119db20704181341g4e241f57qb1784a6c035922c1@mail.gmail.com>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Krasimir Ganchev wrote:

Kari, I have already tried adding my Root/Child certificate bundle via TLSCACertificateFile but it doesn't make any difference and according to the documentation the directive only specifies certificates for CA's that slapd will trust.


Yes, it will to exactly, and only that.

The other thing which I have tried was adding the Child /subordinate/ CA certificate right after the Server certificate in TLFCertificateFile which also didn't lead to any success.

You have to do that, if you have a chained server certificate. TLSCACertificatefile requires the rootCA, and subordinate/intermediate CA certificates as shown below in my example.

You need these to get from the root to the server certificate/private (TLSCertificateFile/TLSCertificateKeyFile parameters). That will do it for OpenLDAP. On Windows side, it is totally another game.

Of course I could always add the Child CA certificate to all of the Windows machine stores and evrything would work just fine, but that's not the whole idea of paying for trusted certificate.

Krasmir, it is just THAT what you will have to do, if you have a chained server certificate.

It is not that diffucult:

certmgr.exe -add rootCAcert.der -s -r localMachine root
certmgr.exe -add CA01cert.der -s -r localMachine CA

Then you have both in proper places on Windoze.

I would like to be able to specify the server certificate chain just like I've done that with SSLCertificateChainFile in apache2 for example.


You can.  I already mailed an example file, and example slapd.conf lines.

~Cheers~

On 4/18/07, *Kari Mattsson* <kari@trivore.com <mailto:kari@trivore.com>> wrote:

    Krasimir Ganchev wrote:
     > Hello guys,
     >
     >
     >
     > I am using a globally recognized certificate with my openldap server
     >  which is issued by a Child CA trusted by the Root CA of my
     > certificate provider. Is there any possible way to include the Child
     > CA certificate within the server certificate chain?

    I have file (on Linux) /etc/ssl/certs/trivore- ca-bundle.crt, which
    looks
    like

    # The Trivore 4096 rootCA certificate:
    -----BEGIN CERTIFICATE-----
    MIIGhjCCBG6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJGSTEW
    ...deleted...
    aumDU+F7CFlUMZllhTLmiAYN14j7chcClbHfREhopXPTtVb5EyJ6EQK+
    -----END CERTIFICATE-----
    # ...
    # The Trivore 4096 CA 01 certificate:
    -----BEGIN CERTIFICATE-----
    MIIGqDCCBJCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGSTEW
    ...deleted...
    Dyc4ZHUjqXz/n/CQjWBCwKPxF3fwci7UZuly9g==
    -----END CERTIFICATE-----

    ..and then in the slapd.conf:

    TLSCACertificateFile /etc/ssl/certs/trivore-ca-bundle.crt
    TLSCertificateFile /etc/ssl/certs/hostname.crt
    TLSCertificateKeyFile /etc/ssl/private/hostname.key
    TLSCipherSuite HIGH

    among other lines.

    hostname.crt is created by CA01 during certification process.

    Just having appropriate/relevant lines in ldap.conf makes the client
    work nicely with the server.

    Same goes, if you import the rootCA and subordinateCA (CA01) to your
    Windows box.  There is a separate slot on Windows for root and
    intermediate/subordinate CAs.  ...but that goes outside the scope of
    this list.

     > The thing is that I have couple of windows based clients using my
     > openldap server and I can't make them verify the server certificate.
     > The Root CA is included in the trusted Root CAs Windows store, but
     > since the Child CA ain't there and doesn't appear in the certificate
     > chain the clients could not verify the server certificate and give up
     > with an error unless they are being configured to ignore errors.
     >
     >
     >
     > That's the reason why I would like to include the Child CA /Signing
     > CA/ certificate within the server certificate chain which will allow
     > those clients to confirm server's certificate and its signing CA
     > certificate against the trusted root CA.
     >
     >
     >
     > Is there any possible way to achieve that and is it up to
     > configuration?
     >
     >
     >
     > Any help is appreciated!

    Did it help?

     > All my best,
     >
     > Krasimir Ganchev

    //Kari Mattsson

Terveisin/With kind regards/Med hälsningar/Lugupidamisega,

Kari Mattsson
Trivore Corp.

--
http://trivore.com/   tel:+358-50-69000

References:
- Server Certificate Chain
  - From: "Krasimir Ganchev" <ganchevk@gmail.com>
- Re: Server Certificate Chain
  - From: Kari Mattsson <kari@trivore.com>
- Re: Server Certificate Chain
  - From: "Krasimir Ganchev" <ganchevk@gmail.com>

Prev by Date: Re: OpenLDAP 2.3.x on RHEL 5 or Centos 5?
Next by Date: Re: Build error 2.3.35 on Debian
Index(es):
- Chronological
- Thread