[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate

Villy Kruse wrote:
On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote:
At 08:45 AM 9/4/2005, Peter Marschall wrote:
AFAIK this is expected behaviour as you cannot use a self-signed server
certificate with openLDAP.
Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.
A self signed certificate cannot be verified. For that you will need
the certificate to be signed by a trusted CA. However, a selfsigned
certificate can be used to establish an encrypted connection.
I don't believe that statement helps in any way to clarify the situation. A cert that is signed by a trusted CA is by definition *not* a self-signed cert.

Note (again, and again, and again...) that "self-signed" does not mean "a certificate that I created by myself." It means "a certificate that was not signed by a separate certificate authority."

Ultimately every chain of trusted certs leads back to a self-signed cert, because no matter how many CAs are in the chain, ultimately there's a root level that has no superior to sign for it. That root level cert is necessarily self-signed. The point is that any client and server must be explicitly configured to trust a particular self-signed cert. For the OpenLDAP client that means you point the TLS_CACERT directive (see ldap.conf(5)) at a PEM file containing the self-signed cert. For the slapd server you use the corresponding TLSCACertificateFile directive. You must use these configuration directives if you want to accept a self-signed cert.

OpenLDAP works fine with certificates you create yourself. Whether you use a single self-signed cert for the server, or you create a self-signed CA cert and then use that to create and sign separate server certs doesn't matter; the code will work either way. But whichever way you choose, the cert you create that is self-signed *must* be configured on all of the clients and servers. That's true whether you create the certs, or whether you buy them from a commercial cert vendor. (Obviously for a vendor-supplied cert, you configure the vendor's CA cert.)

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/