[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate

To: Peter Marschall <peter@adpm.de>
Subject: Re: Problem verifying self signed certificate
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 04 Sep 2005 10:51:16 -0700
Cc: "James Wilde" <james_wilde@glocalnet.com>, openldap-software@OpenLDAP.org
In-reply-to: <200509041745.30804.peter@adpm.de>
References: <5F6B0055276D6E4881966897D19A45E201C7D401@brimo.glocalnet.com> <200509041745.30804.peter@adpm.de>

At 08:45 AM 9/4/2005, Peter Marschall wrote:
>AFAIK this is expected behaviour as you cannot use a self-signed server 
>certificate with openLDAP.

Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.

>OpenLDAP expects you to use a server certificate that is different from the 
>certificate of the issueing CA.

Incorrect.

You simply need to configure the client to accept the
server's certificate as valid by setting the CA file
to a copy of the server's certificate.

Of course, it generally recommended that server certificates
should be signed by a separate CA certificate.

Expecting the actually configuration directives
(see ldap.conf(5)), none of this is actually specific
to OpenLDAP (as evident from the following):

% openssl s_client -host ldap.openldap.org -port 636 > ! openldap.cert
...
verify error:num=18:self signed certificate
verify return:1 ...
[CTRL-D]
% openssl s_client -host ldap.openldap.org -port 636 -CAfile openldap.cert
...
   Verify return code: 0 (ok)
[CTRL-D]

Kurt

Follow-Ups:
- Re: Problem verifying self signed certificate
  - From: Villy Kruse <vek@pharmapartners.nl>

References:
- Problem verifying self signed certificate
  - From: "James Wilde" <james_wilde@glocalnet.com>
- Re: Problem verifying self signed certificate
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Re: Problem verifying self signed certificate
Next by Date: Re: SUMMARY: Re: cachesize does not exceed 1000 entries
Index(es):
- Chronological
- Thread