[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Is my process correct.: openldap using GeoTrust

> From: owner-openssl-users@openssl.org On Behalf Of Rodney Simioni
> Sent: Friday, 21 June, 2013 11:38

> Comments below.
> From: owner-openssl-users@openssl.org On Behalf Of Dave Thompson
> Sent: Thursday, June 20, 2013 6:24 PM
> The wildcard.securesites.com.cert you posted 6/19 has
> Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI 
> 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
> GeoTrust doesn't publish that anywhere I can find but 
> http://www.tbs-certificats.com/FAQ/en/603.html has <snip>
> which is an intermediate (not root) cert (verifiably) under
> Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI 
> C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
> [[Rod's comment]] I need clarification please. The 'Root 2' 
> is the root CA that I can download from geotrust and the one 
> provided to me by my sysadmin is an intermeadiate?
> and THAT is "Root 2" (one of several) on 
> http://www.geotrust.com/resources/root-certificates/index.html
> (also in the standard Windows, Firefox, and Java truststores)
The cert from your admin is a *user* cert -- for *.securesites.com.
The one I found on tbs-certificats is the relevant intermediate.
"Root 2" from GeoTrust, or elsewhere, is the relevant root.

> >What command do I use to make sure the key/pair that was 
> sent to me is 
> >compatible with GeoTrust's CA?
> Either concatenate the intermediate above and the correct 
> root (also in PEM) into one file say geotrustCAs.pem and do:
> openssl verify -CAfile geotrustCAs.pem yourcertfile
> [[Rod's comment]] Are you saying to  concatenate the 
> intermediate root and 'Root 2' which should be downloaded 
> from geotrust?
The intermediate cert and the root cert. The intermediate is 
a CA cert, but is not a root cert (or root CA cert).

> Or put them as separate files in some directory say mycadir, 
> create hashnames using c_rehash or by hand, and do:
> openssl verify -CApath mycadir yourcertfile
> (The first is usually easier.)
> Assuming (as asked before) your opendlap is using openssl not 
> MozillaNSS, to use a key&cert with an intermediate cert 
> openssl requires either configuring a certchain file or 
> putting the chain cert(s) in the truststore (even if the
> cert(s) or truststore aren't needed for verification).
> [[Rod's comment]] As you said before, I'm probably using 
> MozNSS because of the errors I was getting several emails 
> ago. What should I do? Should I remove MozNSS pkg? I've already
> Installed openssl-devel pkg.
Someone else suggested that and I was referring to them. 
Part of the errorlog you posted before looks consistent 
with MozNSS, but part looks consistent with openssl to me, 
so I can't tell. I expect openldap has a way to tell you 
which it uses, but I don't know how. 'devel' packages probably 
matter only if you are re-building openldap; are you?

If you are in fact using MozNSS, the same principles still apply 
as to which key and certficates you need where (server vs client),
but the specifics of what file(s) you put them are entirely 
different, so ignore those parts of my instructions.