On Fri, May 28, 2010 at 9:39 AM, s g <sirisha.kmb@gmail.com> wrote:
javax.naming.CommunicationException: simple bind failed: vcheung-181.lab.xxxx.net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
You probably have your certs round the wrong way. The server cert (on the ldap server) should have 'SSL Server' usage flag the client cert (on the ldap client) should have 'SSL Client' usage flag.
The usage flags are embedded when you make the csr (certificate request) which will then usually be reflected in the generated certificate, unless your CA overrides them.
Do a "openssl x509 -in <cert file> -noout -text" to compare the two certificates.
Cheers
Brett
[root@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ...........................++++++ ...++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:SantaClara Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc Organizational Unit Name (eg, section) []:MyCompany Unit Common Name (eg, YOUR name) []:vcheung-181.lab.xxxx.net Email Address []:sirish1616@yahoo.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:secret An optional company name []: Using configuration from /usr/local/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:secret Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jun 9 20:15:18 2010 GMT Not After : Jun 8 20:15:18 2013 GMT Subject: countryName = US stateOrProvinceName = California organizationName = MyCompany Inc organizationalUnitName = MyCompany Unit commonName = vcheung-181.lab.xxxx.net emailAddress = xyz@yahoo.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Certificate is to be certified until Jun 8 20:15:18 2013 GMT (1095 days) Write out database with 1 new entries Data Base Updated [root@vcheung-181 nextca]# [root@vcheung-181 nextca]# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key .........++++++ ...................................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:SantaClara Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc Organizational Unit Name (eg, section) []:MyCompany Unit Common Name (eg, YOUR name) []:vcheung-181.lab.xxxx.net Email Address []:xyz@yahoo.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:secret An optional company name []: [root@vcheung-181 nextca]# [root@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -sign Using configuration from /usr/local/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 9 20:22:20 2010 GMT Not After : Jun 9 20:22:20 2011 GMT Subject: countryName = US stateOrProvinceName = California localityName = SantaClara organizationName = MyCompany Inc organizationalUnitName = MyCompany Unit commonName = vcheung-181.lab.xxxx.net emailAddress = xyz@yahoo.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:AB:B2:D2:2B:7F:DC:B7:DE:9F:F2:AF:B1:64:45:B0:24:B5:AD:10 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Certificate is to be certified until Jun 9 20:22:20 2011 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, O=MyCompany Inc, OU=MyCompany Unit, CN=vcheung-181.lab.xxxx.net/emailAddress=xyz@yahoo.com Validity Not Before: Jun 9 20:22:20 2010 GMT Not After : Jun 9 20:22:20 2011 GMT Subject: C=US, ST=California, L=SantaClara, O=MyCompany Inc, OU=MyCompany Unit, CN=vcheung-181.lab.xxxx.net/emailAddress=xyz@yahoo.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c1:3a:91:2c:16:9d:c1:70:43:bf:1e:7c:ac:5d: 00:af:15:9c:a8:1b:6c:37:53:c8:b7:a2:6f:68:e0: 2e:f3:c6:f9:ee:0c:d3:f3:90:4e:c2:68:a4:a1:d5: 0c:2b:2d:ac:11:48:d5:c1:2c:21:a9:ef:4e:69:e8: b5:9e:31:18:aa:99:b6:7e:1d:34:a2:4e:4d:e4:53: 50:44:7a:6a:ef:bf:d3:9d:fd:32:c1:af:d5:21:45: 80:cb:12:c5:8f:70:df:49:78:7d:1a:cf:6a:2e:cb: 6a:17:5f:86:71:c1:c5:d6:a3:da:63:7d:80:f6:f5: ce:12:5d:ad:2a:24:b9:66:a9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:AB:B2:D2:2B:7F:DC:B7:DE:9F:F2:AF:B1:64:45:B0:24:B5:AD:10 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Signature Algorithm: sha1WithRSAEncryption 01:ac:6f:e2:55:87:d1:20:9f:62:58:de:4b:6a:12:27:6e:22: fa:40:56:c3:5e:42:2b:f6:b1:68:95:c4:d1:6a:63:aa:4f:31: eb:f6:45:12:28:39:18:66:9d:f0:c9:f4:3f:c9:87:be:c4:e1: fb:71:99:12:f3:f3:c3:85:f2:d6:61:a8:51:f3:a7:e5:41:14: 48:a2:17:f7:28:f6:87:24:8f:76:ca:2c:52:a1:1b:de:81:12: e6:b5:80:83:09:89:ae:41:54:5a:59:d8:05:cc:3c:72:72:e3: 5f:22:1c:b3:1c:40:c0:7b:4c:bf:4e:45:43:6a:2c:41:83:31: 2f:2f -----BEGIN CERTIFICATE----- MIIDRjCCAq+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAoTDU15Q29tcGFueSBJbmMxFzAV BgNVBAsTDk15Q29tcGFueSBVbml0MSUwIwYDVQQDExx2Y2hldW5nLTE4MS5sYWIu cmVjb25uZXgubmV0MSMwIQYJKoZIhvcNAQkBFhRzaXJpc2gxNjE2QHlhaG9vLmNv bTAeFw0xMDA2MDkyMDIyMjBaFw0xMTA2MDkyMDIyMjBaMIG0MQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGFDbGFyYTEWMBQG A1UEChMNTXlDb21wYW55IEluYzEXMBUGA1UECxMOTXlDb21wYW55IFVuaXQxJTAj BgNVBAMTHHZjaGV1bmctMTgxLmxhYi5yZWNvbm5leC5uZXQxIzAhBgkqhkiG9w0B CQEWFHNpcmlzaDE2MTZAeWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDBOpEsFp3BcEO/HnysXQCvFZyoG2w3U8i3om9o4C7zxvnuDNPzkE7CaKSh 1QwrLawRSNXBLCGp705p6LWeMRiqmbZ+HTSiTk3kU1BEemrvv9Od/TLBr9UhRYDL EsWPcN9JeH0az2ouy2oXX4ZxwcXWo9pjfYD29c4SXa0qJLlmqQIDAQABo3sweTAJ BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0 aWZpY2F0ZTAdBgNVHQ4EFgQUxauy0it/3Lfen/KvsWRFsCS1rRAwHwYDVR0jBBgw FoAU8l0lrfBGlXHLPN2I2XeieayhS1cwDQYJKoZIhvcNAQEFBQADgYEAAaxv4lWH 0SCfYljeS2oSJ24i+kBWw15CK/axaJXE0Wpjqk8x6/ZFEig5GGad8Mn0P8mHvsTh +3GZEvPzw4Xy1mGoUfOn5UEUSKIX9yj2hySPdsosUqEb3oES5rWAgwmJrkFUWlnY Bcw8cnLjXyIcsxxAwHtMv05FQ2osQYMxLy8= -----END CERTIFICATE----- Signed certificate is in newcert.pem
Attachment:
serverkey.pem
Description: Binary data
Attachment:
cacert.pem
Description: Binary data
Attachment:
servercert.pem
Description: Binary data