[Date Prev][Date Next]
Re: (ITS#8586) load cert+chain from TLSCertificateFile
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8586) load cert+chain from TLSCertificateFile
- From: firstname.lastname@example.org
- Date: Mon, 13 Feb 2017 12:22:53 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> email@example.com wrote:
>> as discussed on the technical ML it's uncommon to put chain certificates in
>> TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like
>> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
>> /TRUST/ that intermediate for a unrelated purpose.
> We should be more precise here - especially regarding the term "user".
> IMO it is common to put the whole CA cert chain in the cert configuration of a TLS
> server. This is required so that the TLS *client* only has to know the root CA cert
> (trust anchor) and the TLS server sends the intermediate certs. Note that some TLS
> implementations like GnuTLS require the CA cert chain to be "in order" (bottom-up).
> The real issue here is that TLSCACertificateFile and TLSCACertificatePath are also used
> to specify the set of trusted CA certs to validate TLS client certs used by the TLS
> client to authenticate.
It's pretty much unheard of for an LDAP server to trust TLS client certs
issued by a CA different from the LDAP server's own CA. Since client certs are
usually issued only to allow authentication, an LDAP server will only trust
its own CA to issue identities to clients.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/