[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CA and Intermediate Certificates

Chris Jacobs wrote:

Put your intermediate cert and CA cert in the TLSCACertificateFile specified by your slapd.conf (or olsTLSCA... if using slapd.d).

And the server will include the chain correctly automagically. :)

Test via:
     openssl s_client -connect [host]:636 -showcerts </dev/null

From that, you should see the chain.

FWIW: I looked at the later mentioned FMs and Admin Guide and none seem
include the word 'chain' (except for chaining - a different topic), which is
how I would look to see how to configure or verify the server will include the
chain. The issue of chains is either not addressed or talked about in a way
that isn't obvious or simply hard to find.

http://www.openldap.org/doc/admin24/tls.html is pretty explicit.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/