[Date Prev][Date Next]
Re: Mozilla NSS -- how to deploy intermediate certificate
On 02/27/2012 06:26 AM, Aaron Bennett wrote:
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Friday, February 24, 2012 4:37 PM
Cc: Rich Megginson; Aaron Bennett; email@example.com
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich Megginson wrote:
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this
is to use subjectAltName so that the server's cert has
animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
That's already documented here:
Obviously there is a standard for it and we implement that spec.
That's great -- and I understand, but the error I'm getting is "The issuer certificate is unknown" from Apache Directory Explorer and "TLS: peer cert untrusted or revoked (0x42)" from ldapwhoami. If the cert that's loaded into Mozilla NSS is for 'ds.clarku.edu' and the request is sent for 'ds.clarku.edu', how are animal and zoot coming into play? I'm happy to get a new cert with subjectAltName's as appropriate, but I'm concerned that the issue is an improperly loaded or missing intermediate certificate.
Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
On the client:
certutil -d /path/to/nss-cert-db-directory -L
Thanks for your time,