[Date Prev][Date Next]
RE: Server Certificate Chain
I have read that and I have set a bundle of my Root/Child CA included with
the TLSCACertificateFile directive.
My TLS configuration is as follows:
Anyway if I do not include the Child CA certificate in the appropriate
stores at the client side the server certificate could not be verified.
I have tried to get some more info with openssl (openssl s_client -connect
hostname:636) and it returns that there are no client certificate CA names
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Wednesday, April 18, 2007 11:38 PM
To: Krasimir Ganchev
Subject: Re: Server Certificate Chain
Read the Admin Guide, section 220.127.116.11.
Krasimir Ganchev wrote:
> Hello guys,
> I am using a globally recognized certificate with my openldap server
> which is issued by a Child CA trusted by the Root CA of my certificate
> provider. Is there any possible way to include the Child CA certificate
> within the server certificate chain?
> The thing is that I have couple of windows based clients using my
> openldap server and I can't make them verify the server certificate. The
> Root CA is included in the trusted Root CAs Windows store, but since the
> Child CA ain't there and doesn't appear in the certificate chain the
> clients could not verify the server certificate and give up with an
> error unless they are being configured to ignore errors.
> That's the reason why I would like to include the Child CA /Signing CA/
> certificate within the server certificate chain which will allow those
> clients to confirm server's certificate and its signing CA certificate
> against the trusted root CA.
> Is there any possible way to achieve that and is it up to configuration?
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/