[Date Prev][Date Next]
Re: Mozilla NSS -- how to deploy intermediate certificate
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
TLS/SSL clients need at the very least the CA certificate chain in order
to verify the server's certificate.
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett
Sent: Friday, February 24, 2012 3:25 PM
Subject: RE: Mozilla NSS -- how to deploy intermediate certificate
From: Rich Megginson [mailto:firstname.lastname@example.org]
Sent: Friday, February 24, 2012 2:50 PM
To: Aaron Bennett
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Is the ldapwhoami client on the same machine as the server? What is the client TLS configuration?
No. If I run the ldapwhoami from the server it works correctly. In this particular case, I'm running it from an Ubuntu 11.10 workstation. Apache Directory Studio on Windows also throws a certificate error when trying to connect. Likewise I have reports of failure to connect via PHP-Ldap from a third computer.
Not sure how this works with openldap - the usual way to handle this is
to use subjectAltName so that the server's cert has animal.clarku.edu
zoot.clarku.edu and ds.clarku.edu
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.