[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)

Thank you very much for pointing up my confusion. I am sorry when I
wrote rubbish I might further confuse many of us.

Very sorry in my last mail I had mistaken and confused CA Cert and
Server Cert, in my case the file cacert.pem at ALL LDAP Clinets contain
TWO CA Certs (demoCA) I created using guidance from
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html, one created
at the MASTER LDAP, the other at the SLAVE.

I put TWO CA Certs into cacert.pem at ALL LDAP Clients, and tested the
MASTER to SLAP failover works
I put ONE CA Cert (the demoCA created) at MASTER and SLAVE LDAP Server

Allow me to show portion of "man ldap.conf" (from 2.2.15 TLS_CACERT is
there, but they ARE MISSING in 2.2.13), I follow the notes here and PUT
TWO CA Certs in cacert.pem at LDAP client
     TLS_CACERT <filename>
          Specifies the file that contains certificates  for  all
          of  the  Certificate Authorities the client will recog-
As the above said certificate(s), I don't understand why do u say _one_
CA (cert?), do u mean _one_ CA cert(for self-signing Server Cert CSR) at
EACH LDAP Server? If yes I did not contradict this as I put ONE CA Cert
(the demoCA created) in cacert.pem of LDAP Server.


-----Original Message-----
From: Greg Matthews [mailto:gmatt@nerc.ac.uk] 
Sent: Thursday, September 16, 2004 4:21 PM
To: Tay, Gary
Cc: openldap
Subject: RE: Multi-homed machine and TLS

whether you paid for certs or not is irrelevant - the process is the
same. You create _one_ CA (using openssl if you wish) which you use to
sign cert requests for each server. the client then needs _one_ copy of
the CA certificate to verify each of the server certs.

I dont mean to be rude but this is fundamental stuff. I admit it can be
a bit confusing when starting out but you should make sure you
understand this stuff or take it to a relevant mailing list.


On Wed, 2004-09-15 at 19:19, Tay, Gary wrote:
> Again, if I am not wrong, let me clarify:
> The two certs in my cacert.pem at my LDAP clients are neither Server 
> cert or CA certs, they are "Server Certs Self-Signed by a CA Cert 
> generated at the server". The file name happened to be named 
> "cacert.pem", one can call it anything.
> I did not send any server cert to valid CA and paid for the signing 
> service. Most testing systems use self signed certs.

Greg Matthews
iTSS Wallingford	01491 692445