[Date Prev][Date Next]
Re: Problem verifying self signed certificate
Villy Kruse wrote:
On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote:I don't believe that statement helps in any way to clarify the
situation. A cert that is signed by a trusted CA is by definition *not*
a self-signed cert.
At 08:45 AM 9/4/2005, Peter Marschall wrote:A self signed certificate cannot be verified. For that you will need
AFAIK this is expected behaviour as you cannot use a self-signed server
certificate with openLDAP.
Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.
the certificate to be signed by a trusted CA. However, a selfsigned
certificate can be used to establish an encrypted connection.
Note (again, and again, and again...) that "self-signed" does not mean
"a certificate that I created by myself." It means "a certificate that
was not signed by a separate certificate authority."
Ultimately every chain of trusted certs leads back to a self-signed
cert, because no matter how many CAs are in the chain, ultimately
there's a root level that has no superior to sign for it. That root
level cert is necessarily self-signed. The point is that any client and
server must be explicitly configured to trust a particular self-signed
cert. For the OpenLDAP client that means you point the TLS_CACERT
directive (see ldap.conf(5)) at a PEM file containing the self-signed
cert. For the slapd server you use the corresponding
TLSCACertificateFile directive. You must use these configuration
directives if you want to accept a self-signed cert.
OpenLDAP works fine with certificates you create yourself. Whether you
use a single self-signed cert for the server, or you create a
self-signed CA cert and then use that to create and sign separate server
certs doesn't matter; the code will work either way. But whichever way
you choose, the cert you create that is self-signed *must* be configured
on all of the clients and servers. That's true whether you create the
certs, or whether you buy them from a commercial cert vendor. (Obviously
for a vendor-supplied cert, you configure the vendor's CA cert.)
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/