On 02/27/2012 01:17 PM, Aaron Bennett wrote:
this is now the top hit for “openldap Mozilla nss
intermediate certificate,” here’s what I ended up doing:
[rant] First of all, I sincerely hate Mozilla
NSS. I don’t understand why RH decided to building OpenLdap
It's not just openldap, it's many other components.
And, if you are a Red Hat customer, please report any problems with
using Red Hat products with your support channel. Red Hat is
committed to making openldap + mozilla NSS work.
That was the intention - that customers upgrading from openldap +
openssl to openldap + moznss should not notice or care about the
underlying crypto implementation - it should just work exactly as
that aside, I noticed in the excellent FAQ at http://www.openldap.org/faq/data/cache/1514.html
that “If you previously used OpenLDAP with OpenSSL, and have
certificate files, cipher suites, and other TLS settings
specified in your configuration files, those settings should
work exactly the same way with Mozilla NSS - OpenLDAP with
Mozilla NSS knows how to read those settings, files, etc.
and apply them in the same way.” So, I went to ole-reliable
/etc/tls/certs and generated a key and csr, put the key in
/etc/tls/private, and put the signed cert in
/etc/tls/certs. I also put the geotrust intermediate cert
in /etc/tls/certs as well, and then changed cn=config to
Happy TLS’ing everyone.
need to publish the GeoTrust intermediate certificate; I’m
using 2.4.29 built against Mozilla NSS. In OpenSSL world,
I’d use -- I think -- TLSCACertificateFile
/path/to/CA-certificates. Here’s what I’ve tried:
certutil -d /etc/openldap/nssdb/ -A -t ",," -n
geotrust-intermediate -i intermediate.crt
certutil -d /etc/openldap/nssdb/ -L
looks like this:
still clients cannot verify the cert.
Mozilla NSS guru’s know what I’m going wrong?