[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain



Erwann ABALEA wrote:
2011/7/30 Howard Chu<hyc@symas.com>:
Frank Swasey wrote:
On 7/29/11 3:09 PM, Philip Guenther wrote:
On Fri, 29 Jul 2011, Francis Swasey wrote:
I have tried placing both the server certificate and the intermediate
certificate in the same file.  OpenLDAP won't start if I put the
intermediate certificate first, and openssl fails to verify the
certificate chain if I put the server certificate first in the file.

Have I missed something obvious or has OpenLDAP really forced me into
the position of needing to add the intermediate certificate from my SSL
CA Vendor into my trusted store on all my clients?

It's a CA cert; have you tried adding it to the file specified by the
TLSCACertificateFile option?

Well, I never looked at it that way.  Yes, adding the intermediate
certificate to the file pointed to by the TLSCACertificateFile option on
the OpenLDAP server appears to have worked.

Amaazing what trouble you could save yourself if you actually read the
documentation.

He told he looked at the documentation. Documentation is not a novel,
things must be organized to be easily found.

If you are having trouble configuring TLS certificates on your server, and don't think to read the TLS Server Configuration section of the Guide, I doubt the problem is in the organization of the documentation.

http://www.openldap.org/doc/admin24/tls.html#Server%20Configuration
Section 16.2.1.1

Actual OpenLDAP configuration would be to place B (and maybe B1)
certificate in TLSCACertificateFile/Path element, to be able to verify
the Client certificate. The Server must also place A1 in this element,
so it can be sent to the Client to help it verify the Server
certificate.

So, during the TLS negotiation, B, A1, maybe B1, maybe A are sent to
the Client for it to verify the Server certificate? (remember, this
certificate is signed by A1, and A must already be known by the
Client). That's a waste of bandwidth.

The TLS library doesn't do anything so stupid, it only sends the certificates that are part of the chain from the subject's cert up to the root CA.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/