[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
CA and Intermediate Certificates
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: CA and Intermediate Certificates
- From: Andrew Devenish-Meares <adevenis@une.edu.au>
- Date: Thu, 14 Aug 2014 05:25:07 +0000
- Accept-language: en-AU, en-US
- Content-id: <553B22C4ED4AC940B2792A5C495289E9@ad.une.edu.au>
- Content-language: en-US
- Thread-index: AQHPt4Ac73Z9Q15hD0C2CM9Lxv3DmQ==
- Thread-topic: CA and Intermediate Certificates
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
Hi All,
We are currently assessing changing our TLS Certificate setup.
We have been using a self-signed CA to issue certificates for our
OpenLDAP setup, which has required us to supply the CA to anyone outside
our organisation that wishes to use our OpenLDAP over TLS or SSL.
We're currently starting to migrate our certificates to AusCERT, as we
get a good deal as a University. As AusCERT is an intermediate CA, so
we need to use a chain to get this to work.
The server side works, as per the documentation, by adding the
intermediate CA with the root CA in the olcTLSCertificateCAFile.
This means that we need to install the intermediate certificate on
clients that connect to our LDAP using SSL or TLS. Admittedly this
isn't vastly different to what we need to do now in supplying our own CA.
Looking at our Linux clients in particular, we need to add an
appropriate TLS_CACERT directive to our openldap/ldap.conf. Is the
intention, then, to point the client at the appropriate CA files? Is
there a reason that OpenLDAP doesn't use the regular system CA store? Is
there any reason for us not to point to the CA store that's already
maintained?
Cheers
--
Andrew Devenish-Meares
Solutions Analyst
Information Technology
University of New England
Armidale NSW 2351
e: adevenis@une.edu.au
p: 02 6773 4098
w: http://une.edu.au/itd