[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CA and Intermediate Certificates

To: Andrew Devenish-Meares <adevenis@une.edu.au>
Subject: Re: CA and Intermediate Certificates
From: Ferenc Wagner <wferi@niif.hu>
Date: Thu, 14 Aug 2014 11:15:51 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <53EC4832.5020005@une.edu.au> (Andrew Devenish-Meares's message of "Thu, 14 Aug 2014 05:25:07 +0000")
References: <53EC4832.5020005@une.edu.au>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Andrew Devenish-Meares <adevenis@une.edu.au> writes:

> We're currently starting to migrate our certificates to AusCERT, as we 
> get a good deal as a University.  As AusCERT is an intermediate CA, so 
> we need to use a chain to get this to work.
> [...]
> This means that we need to install the intermediate certificate on 
> clients that connect to our LDAP using SSL or TLS.  Admittedly this 
> isn't vastly different to what we need to do now in supplying our own CA.

You have to put the chain leading to the well-known root CA into your
server certificate file:

-----BEGIN CERTIFICATE-----
[your server cert]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[the intermediate certificate (issuer of your server cert)]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[possible other intermediate certificate (issuer of your intermediate cert)]
-----END CERTIFICATE-----

You may include the well-known root CA at the end (as the final issuer),
but that is not necessary, as that certificate must be present and
trusted on the client systems anyway.
-- 
Regards,
Feri.

Follow-Ups:
- Re: CA and Intermediate Certificates
  - From: Howard Chu <hyc@symas.com>

References:
- CA and Intermediate Certificates
  - From: Andrew Devenish-Meares <adevenis@une.edu.au>

Prev by Date: Re: CA and Intermediate Certificates
Next by Date: How to do a case insensitive substring search on a case-sensitive field ?
Index(es):
- Chronological
- Thread