[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8586) load cert+chain from TLSCertificateFile

michael@stroeder.com wrote:
> sca+openldap@andreasschulze.de wrote:
>> as discussed on the technical ML it's uncommon to put chain certificates in
>> TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like
>> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
>> /TRUST/ that intermediate for a unrelated purpose.
> We should be more precise here - especially regarding the term "user".
> IMO it is common to put the whole CA cert chain in the cert configuration of a TLS
> server. This is required so that the TLS *client* only has to know the root CA cert
> (trust anchor) and the TLS server sends the intermediate certs. Note that some TLS
> implementations like GnuTLS require the CA cert chain to be "in order" (bottom-up).
> The real issue here is that TLSCACertificateFile and TLSCACertificatePath are also used
> to specify the set of trusted CA certs to validate TLS client certs used by the TLS
> client to authenticate.

It's pretty much unheard of for an LDAP server to trust TLS client certs 
issued by a CA different from the LDAP server's own CA. Since client certs are 
usually issued only to allow authentication, an LDAP server will only trust 
its own CA to issue identities to clients.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/