Re: Solaris 10 native Client with TLS to OpenLDAP

["Dieter Kluenter" <dieter@dkluenter.de>]

John Gee <john@kleinfeld.ch> writes:

> On Wed, Oct 08, 2008 at 06:35:36PM +0200, Dieter Kl?nter wrote:
> [...]
>> I just had to switch to my Solaris box in order to test ldapclient. I'am
>> referring to your initial mail now.
>> with certutil you created a cerficate database which includes the server
>> certificates, these are presented to the ldap server as client
>> certificates. Remove this server certificates from the repository and
>> just leave the ca-cert in order to verify the server certificate. This
>> setup I just tested successfully on my Solaris box.
>
> Ok, i removed the Certifcates from my CertDB, so that ca-cert is alone
> there. It happens exactly the same as already described.
> Maybe im doing something wrong with the import of self-signed ca to 
> certdb.

Did you sign the server cerficates with this ca-cert? And how did you
create the CA and the server certificates?
I personally use the CA.pl tools from openssl, this is by no means the
best way to do, but the simplest. If you follow this path, you may
have to edit openssl.cnf to meet your requirements. Then you just do
./CA.pl -newca, which creates es self signed CA
./CA.pl -newreq, this creates a host or user certficate request
./CA.pl -sign, wwhich signs the request
openssl rsa -in newreq.pem -out foo-key.pem, this removes password
from the requested certificate and creates a key file.
mv newcert.pem foo-cert.pem
./CA.pl -verify foo-cert.pem

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E