[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using "keytool" to create security certificates for OpenLDAP

Safdar Kureishy wrote:
1) I'm on a Windows machine,

So sorry.

and in the OpenLDAP installation
directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
related files.

Personally, I wouldn't trust the certs unless you put them there or know who did.

Could you tell me which is which, and which I should
add to the truststore on the client?
- serverkey.pem

As it says, the server's key file. Keep this one private through very limited permissions.

- server.pem

The server cert. This is expressed in the handshake.

- CA.pem

Put this one in the client truststore. This is the certificate for your local Certificate Authority. Like Verisign or Thawte, only much cheaper and not universally known or accepted.

- cakey.pem

You should probably keep this one pretty private as well.

- ca.srl

You've heard of google, right? I actually wasn't familiar with this file extension, but a twenty second google search on 'ssl .srl' got me this pat explanation:

"The content of file.srl is a two digit number. eg. 00; it's incremented when the CA issues a certificate"

2) I actually tried adding "server.pem" to my client's truststore
using keytool, and it seems that it got added (it gets listed with the
-list option)

So now you at least know for a fact you can import .pem format files into Java stores.

but when I do the following with JLDAP to conenct to
the OpenLDAP server, I get an LDAPException with a root message:
"sun.security.validator.ValidatorException: No trusted certificate

The client gets this cert anyway in the handshake; it doesn't belong in the truststore (you are confusing keystores and truststores). In other words, the reason you're told the server's cert isn't *trusted* is that the JRE doesn't recognize the certificate authority from whence it came. That's why you need your local CA certificate in the client's CA truststore.

Jon Roberts