TLS certificate verification: Error, self signed certificate

[David Highley <dhighley@highley-recommended.com>]

I'm working with openldap 2.1.23 on Sparc Solaris 9 systems. I have
setup an LDAP server and replica. I have loaded the database using
PADL's scripts. Now I'm trying to get tls working. I have created
certificates and keys on the ldap server and verified them with openssl.
I copied them to the replica system as well. I have added the TLS lines
to the slapd.conf file and the ldap.conf file. When I test using
ldapsearch on the ldap server I get a get the following error:

/usr/local/bin/ldapsearch -d -1 -x -ZZ -b 'dc=highley-recommended,,dc=com' '(objectclass=*)'

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0           
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

So can we use self signed certificates? Do we need to generate
certificates and keys for the replica? What about clients?

-- 


Regards,

David Highley		      Phone: (206) 669-0081
Highley Recommended, Inc.	FAX: (253) 838-8509
2927 SW 339th Street	      Email: dhighley@highley-recommended.com
Federal Way, WA 98023-7732	WEB: http://www.highley-recommended.com