[Date Prev][Date Next] [Chronological] [Thread] [Top]

Mozilla NSS / OpenLdap 2.4.23 cert not readable?


I'm trying to grok Mozilla NSS prior to deploying Openldap 2.4.23 on RHEL 6.2.  I've been working through creating a self-signed cert and I think I have one that works.  At least, if I do:

[root@animal ~]# certutil -d /etc/pki/nssdb/ -L

Certificate Nickname                                         Trust Attributes

its                                                          Cu,Cu,Cu
animal.clarku.edu                                            p,p,p

the its cert is the one I used to sign.

If I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L -n animal.clarku.edu

Then I see a normal looking cert:
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=ITS Self Signed"
            Not Before: Mon Dec 12 16:01:27 2011
            Not After : Mon Mar 12 16:01:27 2012
        Subject: "CN=animal.clarku.edu,O=Clark University ITS,L=Worcester,ST=

Here's what I've got in cn=config:
olcTLSCACertificatePath: /etc/pki/nssdb/
olcTLSCertificateFile: animal.clarku.edu

If do those commands as the ldap user with sudo -u ldap, I get the same output.  I can even run "certutil -V -n animal.clarku.edu -u SR -d /etc/pki/nssdb/" and I get "certificate is valid".

However when I start slapd, I get:

[root@animal slapd.d]# service slapd start
animal.clarku.edu is not readable by "ldap"                [WARNING]
Starting slapd:                                            [  OK  ]

What am I missing?



Aaron Bennett
Manager of Systems Administration
Clark University ITS