[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL server certificate that has an intermediary certificate in the chain
- To: Francis Swasey <Frank.Swasey@uvm.edu>
- Subject: Re: SSL server certificate that has an intermediary certificate in the chain
- From: Philip Guenther <guenther+ldaptech@sendmail.com>
- Date: Fri, 29 Jul 2011 12:09:56 -0700
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=spork.dkim; t=1311966602; bh=y06vv8xSbMrR1zeXtwjnLS1I4UjDSt+Qfq/l+peMl/Q=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=l264QZu4RdXlYpXWknBv5kBfEP4I0cHJfrmeni0mdzZNpt54pKMqhcAumPNF2RJTd G+kKJWHbcXQ65f5DwGZnMGIX7TbL0XvpfSWBG276vPX7bVZXdJCKkxA8a3ezAdxI29 +A2rpxwy/bMD1jXj2ZQlaK1EJLMDgyOp9+BsBgmI=
- In-reply-to: <4E330129.4030004@uvm.edu>
- References: <4E330129.4030004@uvm.edu>
- User-agent: Alpine 2.00 (BSO 1167 2008-08-23)
On Fri, 29 Jul 2011, Francis Swasey wrote:
> I have searched the faq-o-matic, google, the admin guide, and I cannot
> find any documentation that will allow me to set up my OpenLDAP 2.4.25
> server using an SSL certificate that was issued from a CA that uses
> intermediate certificates (by, which I mean to indicate any commercial
> SSL cert company currently selling certs).
>
> Apache has the SSLCertificateChainFile directive to handle this.
> OpenLDAP seems to be lacking this functionality.
>
> I have tried placing both the server certificate and the intermediate
> certificate in the same file. OpenLDAP won't start if I put the
> intermediate certificate first, and openssl fails to verify the
> certificate chain if I put the server certificate first in the file.
>
> Have I missed something obvious or has OpenLDAP really forced me into
> the position of needing to add the intermediate certificate from my SSL
> CA Vendor into my trusted store on all my clients?
It's a CA cert; have you tried adding it to the file specified by the
TLSCACertificateFile option?
Philip Guenther