[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/SSL and SSL Trust Chain?

To: Paul Reilly <pareilly@tcd.ie>
Subject: Re: OpenLDAP/SSL and SSL Trust Chain?
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Fri, 17 Jan 2003 12:06:44 +0000
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <Pine.OSF.4.43L0.0301171136000.1644-100000@web2.tcd.ie>
References: <20030117100559.GK31352@brick.skills-1st.co.uk> <Pine.OSF.4.43L0.0301171136000.1644-100000@web2.tcd.ie>
User-agent: Mutt/1.3.27i

On Fri, Jan 17, 2003 at 11:42:14AM +0000, Paul Reilly wrote:

> But I can't use a self-signed certificate.... that made me think I must
> get a globally signed cert.. and use their root CACERT ?!

There is a lot of confusion about self-signed certificates, partly
because the term is now being used in two different ways:

1)	In the standards, a self-signed certificate is literally a
	certificate whose signature was generated using the key that
	the certificate refers to. All root certificates are of this
	form, since by definition there is no 'higher' certificate to
	sign them with: the *certificate* signs itself.

2)	A common usage has developed where the term 'self-signed
	certificate' refers to any certificate generated by an
	organisation or end-user without using the services of any
	commercial certification service.

	It might be better to refer to these as 'closed community'
	certificates because there is no public service for verifying
	them.

Using the standard definition (1), it is wrong to use a self-signed
certificate directly for a service: these are root-level certificates
and should only be used for signing other certificates. This is a
common error, and very few applications checked for it in the past.
More checks are now done by OpenSSL at least, so service operators
have to get this right.

Thus if you want to avoid paying money to a public certificate
provider (or if you cannot find one that will generate the form of
certificate that you need) you must make at least two certs:

	Make yourself a root certificate. This is self-signed in both
	senses of the term. It should be marked as a
	certificate-signing certificate.

	Generate a key for your service. Use this to generate a
	certificate for the service, signed using your root
	certificate. This service certificate is *not* self-signed
	under the standard definition above, but like your root
	certificate it *is* a 'closed community' certificate.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Follow-Ups:
- Re: OpenLDAP/SSL and SSL Trust Chain?
  - From: Paul Reilly <pareilly@tcd.ie>

References:
- Re: OpenLDAP/SSL and SSL Trust Chain?
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: OpenLDAP/SSL and SSL Trust Chain?
  - From: Paul Reilly <pareilly@tcd.ie>

Prev by Date: communication between two(or more) different LDAP servers
Next by Date: Re: slapd does not start
Index(es):
- Chronological
- Thread