[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Is my process correct.: openldap using GeoTrust
>From: owner-openssl-users@openssl.org On Behalf Of Rodney Simioni
>Sent: Thursday, 20 June, 2013 12:04
>A key/pair was sent to me from my admin and it looked like it came
>from GeoTrust. It's a wildcard cert.
A privatekey (which in most formats including openssl's is
really a keypair) and a matching certificate. You need both.
>I downloaded the Root CA from GeoTrust 's web site because LDAP
>requires the CA file.
The wildcard.securesites.com.cert you posted 6/19 has
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
GeoTrust doesn't publish that anywhere I can find but
http://www.tbs-certificats.com/FAQ/en/603.html has it as
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----
which is an intermediate (not root) cert (verifiably) under
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
and THAT is "Root 2" (one of several) on
http://www.geotrust.com/resources/root-certificates/index.html
(also in the standard Windows, Firefox, and Java truststores)
>What command do I use to make sure the key/pair that was sent to me
>is compatible with GeoTrust's CA?
Either concatenate the intermediate above and the correct root
(also in PEM) into one file say geotrustCAs.pem and do:
openssl verify -CAfile geotrustCAs.pem yourcertfile
Or put them as separate files in some directory say mycadir,
create hashnames using c_rehash or by hand, and do:
openssl verify -CApath mycadir yourcertfile
(The first is usually easier.)
Assuming (as asked before) your opendlap is using openssl
not MozillaNSS, to use a key&cert with an intermediate cert
openssl requires either configuring a certchain file or
putting the chain cert(s) in the truststore (even if the
cert(s) or truststore aren't needed for verification).
The manpage on http://linux.die.net/man/5/slapd-config
does not indicate any option to configure a chain file;
if that is true for the version you are using, use one of
the above approaches with olcTLSCACertificateFile or Path .