[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Is my process correct.: openldap using GeoTrust



>From: owner-openssl-users@openssl.org On Behalf Of Rodney Simioni
>Sent: Thursday, 20 June, 2013 12:04

>A key/pair was sent to me from my admin  and it looked like it came 
>from GeoTrust. It's a wildcard cert.

A privatekey (which in most formats including openssl's is 
really a keypair) and a matching certificate. You need both.

>I downloaded the Root CA  from  GeoTrust 's web site because LDAP 
>requires the CA file.

The wildcard.securesites.com.cert you posted 6/19 has 
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A

GeoTrust doesn't publish that anywhere I can find but 
http://www.tbs-certificats.com/FAQ/en/603.html has it as 
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----

which is an intermediate (not root) cert (verifiably) under 
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

and THAT is "Root 2" (one of several) on 
http://www.geotrust.com/resources/root-certificates/index.html
(also in the standard Windows, Firefox, and Java truststores)

>What command do I use to make sure the key/pair that was sent to me 
>is compatible with GeoTrust's CA?

Either concatenate the intermediate above and the correct root 
(also in PEM) into one file say geotrustCAs.pem and do:
openssl verify -CAfile geotrustCAs.pem yourcertfile

Or put them as separate files in some directory say mycadir, 
create hashnames using c_rehash or by hand, and do:
openssl verify -CApath mycadir yourcertfile

(The first is usually easier.)

Assuming (as asked before) your opendlap is using openssl 
not MozillaNSS, to use a key&cert with an intermediate cert 
openssl requires either configuring a certchain file or 
putting the chain cert(s) in the truststore (even if the 
cert(s) or truststore aren't needed for verification).

The manpage on http://linux.die.net/man/5/slapd-config 
does not indicate any option to configure a chain file;
if that is true for the version you are using, use one of 
the above approaches with olcTLSCACertificateFile or Path .