[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mozilla NSS -- how to deploy intermediate certificate

On 02/27/2012 09:14 AM, Aaron Bennett wrote:
-----Original Message-----
From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Monday, February 27, 2012 10:57 AM
To: Aaron Bennett
Cc: openldap-technical@openldap.org
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate

Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
On the client:
certutil -d /path/to/nss-cert-db-directory -L

Rich, you aren't getting what I'm asking...

If I run: "certutil -d /etc/openldap/nssdb/ -L " on the server, it works, and if I try to connect to it from the server using the ldap clients (like ldapwhomi or ldapsearch or whatever) it works.

But, the client is a different computer, in this case, a Windows 7 box running Apache Directory Studio, or an ubuntu workstation running GnuTLS, or whatever, and they don't work -- I get " TLS: peer cert untrusted or revoked (0x42)."
OK. I don't know how those clients configure their TLS settings. The only think I know for sure is that you have to make sure each of those clients has the entire CA cert chain for the CA that issued the LDAP server cert.