[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mozilla NSS -- how to deploy intermediate certificate



On 02/24/2012 01:31 PM, Aaron Bennett wrote:

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett
Sent: Friday, February 24, 2012 3:25 PM
To: richm@stanfordalumni.org
Cc: openldap-technical@openldap.org
Subject: RE: Mozilla NSS -- how to deploy intermediate certificate



From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Friday, February 24, 2012 2:50 PM
To: Aaron Bennett
Cc: openldap-technical@openldap.org
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate

Is the ldapwhoami client on the same machine as the server?   What is the client TLS configuration?
  No.  If I run the ldapwhoami from the server it works correctly.  In this particular case, I'm running it from an Ubuntu 11.10 workstation.  Apache Directory Studio on Windows also throws a certificate error when trying to connect.  Likewise I have reports of failure to connect via PHP-Ldap from a third computer.
TLS/SSL clients need at the very least the CA certificate chain in order to verify the server's certificate.
--------------

On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu