[Date Prev][Date Next]
Re: Problem verifying self signed certificate
At 08:45 AM 9/4/2005, Peter Marschall wrote:
>AFAIK this is expected behaviour as you cannot use a self-signed server
>certificate with openLDAP.
Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.
>OpenLDAP expects you to use a server certificate that is different from the
>certificate of the issueing CA.
You simply need to configure the client to accept the
server's certificate as valid by setting the CA file
to a copy of the server's certificate.
Of course, it generally recommended that server certificates
should be signed by a separate CA certificate.
Expecting the actually configuration directives
(see ldap.conf(5)), none of this is actually specific
to OpenLDAP (as evident from the following):
% openssl s_client -host ldap.openldap.org -port 636 > ! openldap.cert
verify error:num=18:self signed certificate
verify return:1 ...
% openssl s_client -host ldap.openldap.org -port 636 -CAfile openldap.cert
Verify return code: 0 (ok)