[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP and wildcard SSL certs



I have been unable to find a way to get wildcard SSL certs to work
with OpenLDAP 2.1.32 and OpenSSL 0.9.6b (plus security patches). I have
created my own CA, and used it to sign a cert. with cn=ldap.example.com
and that works fine. (The proper TLS_CACERT setting is in ldap.conf for
ldapsearch etc.)

If I do the same to sign a cert. with with cn=*.example.com it works fine
for everything I've tested (Apache, Sendmail, etc.), but not OpenLDAP.
This page:

http://www.openldap.org/lists/openldap-bugs/200311/msg00034.html

says that you need to use subjectAltName instead of CN. So I added the
appropriate lines to openssl.cnf and created a cert. with cn=*.example.com
plus subjectAltName=DNS:*.example.com, and OpenLDAP fails that with:

$ ldapsearch -h ldap.example.com -ZZ -xLLL uid=foo
ldap_start_tls: Connect error (91)
        additional info: TLS: hostname does not match CN in peer certificate

But OpenSSL itself is able to validate it fine (on the SSL-wrapped port):

$ openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile <my-CA-pem-file>
[...]
    Verify return code: 0 (ok)

I also tried a cert. with no CN plus subjectAltName=DNS:*.example.com
and OpenLDAP fails that with:

$ ldapsearch -h ldap.example.com -ZZ -xLLL uid=foo
ldap_start_tls: Local error (82)
        additional info: TLS: unable to get CN from peer certificate

Can someone please point me to step-by-step documentation for how you're
supposed to create a CSR with a wildcard domain, which when signed into
a certificate will work with OpenLDAP? Thanks.

-- 
Brent J. Nordquist <b-nordquist@bethel.edu> N0BJN
Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html