[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate

At 08:45 AM 9/4/2005, Peter Marschall wrote:
>AFAIK this is expected behaviour as you cannot use a self-signed server 
>certificate with openLDAP.

Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.

>OpenLDAP expects you to use a server certificate that is different from the 
>certificate of the issueing CA.


You simply need to configure the client to accept the
server's certificate as valid by setting the CA file
to a copy of the server's certificate.

Of course, it generally recommended that server certificates
should be signed by a separate CA certificate.

Expecting the actually configuration directives
(see ldap.conf(5)), none of this is actually specific
to OpenLDAP (as evident from the following):

% openssl s_client -host ldap.openldap.org -port 636 > ! openldap.cert
verify error:num=18:self signed certificate
verify return:1 ...
% openssl s_client -host ldap.openldap.org -port 636 -CAfile openldap.cert
   Verify return code: 0 (ok)