Re: Ubuntu Server 12.04: StartTLS

[Philip Guenther <guenther+ldaptech@sendmail.com>]

On Mon, 5 Nov 2012, Admus wrote:
...
> The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
> 
> - The hostname in the certificate matches 'ldap1.example.com'.
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted

In order to verify the server's certificate, root CA that's 'above' the 
server's cert needs to be configured as a trusted CA for the client.

For OpenSSL, that's done by placing it in the file designated by the 
TLS_CACERT ldap.conf option, or in the directory designated by the 
TLS_CACERTDIR ldap.conf option with the correct hashed filename.

The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS, 
so presumably you just have to place the trusted root certificate(s) in a 
single file and point TLS_CACERT at that, in whatever format GnuTLS uses.


Philip Guenther