[Date Prev][Date Next]
Re: Using "keytool" to create security certificates for OpenLDAP
Safdar Kureishy wrote:
1) I'm on a Windows machine,
and in the OpenLDAP installation
directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
Personally, I wouldn't trust the certs unless you put them there or know
Could you tell me which is which, and which I should
add to the truststore on the client?
As it says, the server's key file. Keep this one private through very
The server cert. This is expressed in the handshake.
Put this one in the client truststore. This is the certificate for your
local Certificate Authority. Like Verisign or Thawte, only much cheaper
and not universally known or accepted.
You should probably keep this one pretty private as well.
You've heard of google, right? I actually wasn't familiar with this file
extension, but a twenty second google search on 'ssl .srl' got me this
"The content of file.srl is a two digit number. eg. 00; it's incremented
when the CA issues a certificate"
2) I actually tried adding "server.pem" to my client's truststore
using keytool, and it seems that it got added (it gets listed with the
So now you at least know for a fact you can import .pem format files
into Java stores.
but when I do the following with JLDAP to conenct to
the OpenLDAP server, I get an LDAPException with a root message:
"sun.security.validator.ValidatorException: No trusted certificate
The client gets this cert anyway in the handshake; it doesn't belong in
the truststore (you are confusing keystores and truststores). In other
words, the reason you're told the server's cert isn't *trusted* is that
the JRE doesn't recognize the certificate authority from whence it came.
That's why you need your local CA certificate in the client's CA truststore.