[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Netscape Certificates in OpenLDAP

To: Mark Krischer <mark.krischer@radiata.com>
Subject: Re: Netscape Certificates in OpenLDAP
From: Giuseppe Lo Biondo <Giuseppe.LoBiondo@mi.infn.it>
Date: Wed, 22 Mar 2000 09:57:33 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <38D7EBA2.CE475850@radiata.com>

On Wed, 22 Mar 2000, Mark Krischer wrote:

> Giuseppe Lo Biondo wrote:
> 
> > Hi!
> >
> > I'm trying to store X.509 Certificates in my OpenLDAP server.
> >
> > I successfully stored my certificate in the server and the netscape
> > addressbook displays it correctly. (it is stored as usercertificate;binary
> > and I've encoded the DER certificate using ldif -b )
> >
> > When I try to download the certificate using the security tabs, my browser
> > finds the certificate but it seems to ignore it when I try to download
> > (I've tried with my cert and with another's person cert).
> >
> > I've already seen various threads of discussion in this mailing list and
> > this seems a known problem, has anyone found the right recipe to make this
> > work?
> >
> > Giuseppe Lo Biondo
> 
> can you give some more details about "seems to ignore it"?
> 
> without really understanding your problem, here's a few thoughts.  if you
> already have the certificate--such as your own--it won't add it again.  check
> the "people" section in certificates and see what's there.
> 
> --mk
> 

The certificate I try to download is not in my keyring neither is mine.

To store the certificate I encoded a pem file using ldif -b (that is a
base64 encoding I guess). the certificate is stored in the
userCertificate;binary attibute and I've seen that a query using for
example ldapsearch returns the decoded certificate.

Now I wonder who decodes the certificate! slapd or the client? Does slapd
understand that ;binary is a subtype and decodes it? Or the string  
"userCertificate;binary"  is an attibute on his own and only the clients
recognise it? 

I think that there is nothing wrong with the cert itself since the
certicate in pem format is correctly loaded into netscape if I load it
trough a web page with a script such as the following..

#!/usr/bin/perl
print "Content-type:application/x-x509-email-cert\n\n";
print <<EOB;
-----BEGIN CERTIFICATE-----
MIID+DCCA2GgAwIBAgIBSzANBgkqhkiG9w0BAQQFADBGMQswCQYDVQQGEwJJVDEN
....
....
-----END CERTIFICATE-----
EOB

Anyway I still don't understand why netscape does not load the certificate
trough the security dialogs even if it claims that a certificate was
found in the LDAP server. 

Many thanks.
Giuseppe

Follow-Ups:
- Re: Netscape Certificates in OpenLDAP
  - From: "Xuan Huan" <huanx@moon.bjnet.edu.cn>
- Re: Netscape Certificates in OpenLDAP
  - From: Michael Ströder <michael.stroeder@inka.de>

References:
- Re: Netscape Certificates in OpenLDAP
  - From: Mark Krischer <mark.krischer@radiata.com>

Prev by Date: Re: SLAPD benchmarking
Next by Date: Re: Netscape Certificates in OpenLDAP
Index(es):
- Chronological
- Thread