[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Server Certificate Chain



Howard,

I have read that and I have set a bundle of my Root/Child CA included with
the TLSCACertificateFile directive.

My TLS configuration is as follows:

TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
TLSCACertificateFile /etc/ldap/cacert-bundle.pem
TLSCipherSuite HIGH:MEDIUM:+SSLV3
TLSVerifyClient never

Anyway if I do not include the Child CA certificate in the appropriate
stores at the client side the server certificate could not be verified.

I have tried to get some more info with openssl (openssl s_client -connect
hostname:636) and it returns that there are no client certificate CA names
sent.

Any suggestions?

~Cheers~

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Wednesday, April 18, 2007 11:38 PM
To: Krasimir Ganchev
Cc: openldap-software@openldap.org
Subject: Re: Server Certificate Chain

Read the Admin Guide, section 12.2.1.1.

Krasimir Ganchev wrote:
> Hello guys,
> 
>  
> 
> I am using a globally recognized certificate with my openldap server 
> which is issued by a Child CA trusted by the Root CA of my certificate 
> provider. Is there any possible way to include the Child CA certificate 
> within the server certificate chain?
> 
>  
> 
> The thing is that I have couple of windows based clients using my 
> openldap server and I can't make them verify the server certificate. The 
> Root CA is included in the trusted Root CAs Windows store, but since the 
> Child CA ain't there and doesn't appear in the certificate chain the 
> clients could not verify the server certificate and give up with an 
> error unless they are being configured to ignore errors.
> 
>  
> 
> That's the reason why I would like to include the Child CA /Signing CA/ 
> certificate within the server certificate chain which will allow those 
> clients to confirm server's certificate and its signing CA certificate 
> against the trusted root CA.
> 
>  
> 
> Is there any possible way to achieve that and is it up to configuration?


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/