[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CA and Intermediate Certificates

To: Chris Jacobs <Chris.Jacobs@apollo.edu>, Andrew Devenish-Meares <adevenis@une.edu.au>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: CA and Intermediate Certificates
From: Howard Chu <hyc@symas.com>
Date: Thu, 14 Aug 2014 11:35:27 -0700
In-reply-to: <6C447584419BFE4E83D46E88F8131486D2C731AA17@EXCH07-05.apollogrp.edu>
References: <53EC4832.5020005@une.edu.au> <6C447584419BFE4E83D46E88F8131486D2C731AA17@EXCH07-05.apollogrp.edu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a1

Chris Jacobs wrote:

Andrew,

Put your intermediate cert and CA cert in the TLSCACertificateFile specified by your slapd.conf (or olsTLSCA... if using slapd.d).

And the server will include the chain correctly automagically. :)

Test via:
     openssl s_client -connect [host]:636 -showcerts </dev/null

From that, you should see the chain.


FWIW: I looked at the later mentioned FMs and Admin Guide and none seem

include the word 'chain' (except for chaining - a different topic), which is
how I would look to see how to configure or verify the server will include the
chain. The issue of chains is either not addressed or talked about in a way
that isn't obvious or simply hard to find.

http://www.openldap.org/doc/admin24/tls.html
16.2.1.1 is pretty explicit.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: CA and Intermediate Certificates
  - From: Chris Jacobs <Chris.Jacobs@apollo.edu>

References:
- CA and Intermediate Certificates
  - From: Andrew Devenish-Meares <adevenis@une.edu.au>
- RE: CA and Intermediate Certificates
  - From: Chris Jacobs <Chris.Jacobs@apollo.edu>

Prev by Date: RE: CA and Intermediate Certificates
Next by Date: RE: CA and Intermediate Certificates
Index(es):
- Chronological
- Thread