[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Quick question about OpenLDAP Server CA certificate handling
- To: openldap-technical@openldap.org
- Subject: Quick question about OpenLDAP Server CA certificate handling
- From: Mark Cairney <Mark.Cairney@ed.ac.uk>
- Date: Thu, 11 Apr 2019 12:35:42 +0100
- Content-language: en-GB
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
Hi,
Having just updated our SSL certificates on our OpenLDAP server led us
to review the contents of our "bundle" file referenced in
"olcTLSCACertificateFile".
According to the documentation at:
https://www.openldap.org/doc/admin24/tls.html it states "This directive
specifies the PEM-format file containing certificates for the CA's that
slapd will trust. The certificate for the CA that signed the server
certificate must be included among these certificates. If the signing CA
was not a top-level (root) CA, certificates for the entire sequence of
CA's from the signing CA to the top-level CA should be present. Multiple
certificates are simply appended to the file; the order is not significant."
However based on our understanding of how SSL works we should only
actually need the intermediate(s) in there as the client should have the
root and then compare the intermediate provided by the server and only
trust it if it can use this in conjunction with it's copy of the root
certificate to complete the chain of trust.
Based on this we configure our web servers to only have the
intermediate(s) in their chain (and in fact SSL Labs marks you down if
you have the root in there too).
Of course we do realise LDAP is not HTTP!
We're running OpenLDAP 2.4.47 linked against OpenSSL on Scientific Linux
7.5.
Kind regards,
Mark
--
/****************************
Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney@ed.ac.uk
PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.