[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Certificate in openldap



In message <1043078046.13005.18.camel@localhost> on 20 Jan 2003 16:54:06 +0100, Tony Earnshaw <tonni@billy.demon.nl> said:

tonni> man, 2003-01-20 kl. 14:12 skrev Richard Levitte - VMS Whacker:
tonni> > In message <001301c2c080$fc22a130$a503a8c0@PCGDL> on Mon, 20 Jan 2003
tonni> > 13:39:33 +0100, "De Leeuw Guy" <G.De_Leeuw@eurofer.be> said:
tonni> > 
tonni> > G.De_Leeuw> What is the recommended format of a certificate to add
tonni> > this cert in ldap ?
tonni> > G.De_Leeuw> Pem, der, crt ???
tonni> > 
tonni> > The attribute userCertificate;binary should take a certificate in raw
tonni> > DER.
tonni> 
tonni> Possibly. But that will break an awful lot of servers, such as Openldap,
tonni> and clients that can only work with .pem BER encoding. OTOH, FreeS/WAN
tonni> IPSEC insists on hashes, together with their .der cert. Not exactly easy
tonni> for the beginner.

I'm sorry say what?  I've done exactly that, in a simple CA program I
built not long ago.  Of course, in an LDIF file, you'd have this:

  userCertificate;binary:: <...base64-encoded-der...>

And that, BTW, isn't the same thing as a certificate in PEM format.
PEM has those -----BEGIN ...----- and -----END ...----- lines.  Have
you actually seen that as a userCertificate value?

-- 
Richard Levitte   \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.