[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Quick question about OpenLDAP Server CA certificate handling



Hi Andreas,

Thanks- the discussion in the ITS is very useful/interesting. I should
clarify that we're referring to a commercially-signed certificate for
our LDAP server so clients should already have the root CA in their
trust store.

We also aren't currently doing client cert verification and tend to use
service accounts for client authentication. We may look to support
client cert verification in the future using our own internal CA.

Kind regards,
Mark


On 13/04/2019 15:48, A. Schulze wrote:
> 
> 
> Am 11.04.19 um 13:35 schrieb Mark Cairney:
> 
> Hello Mark,
> 
>> However based on our understanding of how SSL works we should only
>> actually need the intermediate(s) in there as the client should have the
>> root and then compare the intermediate provided by the server and only
>> trust it if it can use this in conjunction with it's copy of the root
>> certificate to complete the chain of trust.
>>
>> Based on this we configure our web servers to only have the
>> intermediate(s) in their chain (and in fact SSL Labs marks you down if
>> you have the root in there too).
> That's best practice for *any* TLS server.
> 
> have a look at https://www.openldap.org/its/index.cgi?findid=8586
> With the referenced patch I can setup
>  TLSCertificateFile /path/to/cert+intermediate.pem
>  TLSCertificateKeyFile /path/to/privkey.pem
> 
> I have no TLSCACertificateFile at all because I don't use certificates
> to authenticate ldap clients...
> 
>> Of course we do realise LDAP is not HTTP!
> I think, it *is* very similar...
> 
> Andreas
> 
> 

-- 
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: Mark.Cairney@ed.ac.uk
PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.