[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mozilla NSS -- how to deploy intermediate certificate

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Friday, February 24, 2012 4:37 PM
To: richm@stanfordalumni.org
Cc: Rich Megginson; Aaron Bennett; openldap-technical@openldap.org
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate

Rich Megginson wrote:
> On 02/24/2012 01:31 PM, Aaron Bennett wrote:

>> On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.

> Not sure how this works with openldap - the usual way to handle this 
> is to use subjectAltName so that the server's cert has 
> animal.clarku.edu zoot.clarku.edu and ds.clarku.edu

That's already documented here:

Obviously there is a standard for it and we implement that spec.

That's great -- and I understand, but the error I'm getting is "The issuer certificate is unknown" from Apache Directory Explorer and "TLS: peer cert untrusted or revoked (0x42)" from ldapwhoami.  If the cert that's loaded into Mozilla NSS is for 'ds.clarku.edu' and the request is sent for 'ds.clarku.edu', how are animal and zoot coming into play?  I'm happy to get a new cert with subjectAltName's as appropriate, but I'm concerned that the issue is an improperly loaded or missing intermediate certificate.  

Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?

Thanks for your time,