Re: Antw: Re: TLSCACertificateFile directive and multiple CA certificates

[Dameon Wagner <dameon.wagner@it.ox.ac.uk>]

On Thu, May 18 2017 at 20:17:16 +0900, Alexandre Rosenberg scribbled
 in "Re: Antw: Re: TLSCACertificateFile directive and multiple CA certificates":
> Hello,
> 
> I test and the issue only happen if 2 CA have the same DN.
> I regenerated the new CA with a different DN and it's working.
> 
> As I am mentioned I am not sure what the proper behavior of
> OpenLDAP/OpenSSL should be in case 2 CA have the same DN.
> 
> I am not sure I misunderstanding what TLSCACertificateFile is used
> for. The main use it to let OpenLDAP though which CA if should trust
> when validating certificate. That is clearly what is in the doc.
> 
> Best,
> 
> Alex

Hi Alex,

Glad you got it working.

I think the proper behaviour would be to not have 2 CAs with the same
DN, as the first-match-wins.  As the DN is used to identify the issuer
of the certificate you're attempting to authenticate, it would make
little sense to have a naming collision.

I realise the docs say that order doesn't matter, but that assumes
that all included certificates would have clearly distinguished
subject names (hence "DN").

Cheers.

Dameon.

-- 
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Systems Development and Support
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><