[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: CA and Intermediate Certificates

To: Howard Chu <hyc@symas.com>, Andrew Devenish-Meares <adevenis@une.edu.au>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: CA and Intermediate Certificates
From: Chris Jacobs <Chris.Jacobs@apollo.edu>
Date: Thu, 14 Aug 2014 11:47:28 -0700
Accept-language: en-US
Acceptlanguage: en-US
Authentication-results: spf=pass (sender IP is 204.17.31.150) smtp.mailfrom=chris.jacobs@apollo.edu;
Content-language: en-US
In-reply-to: <53ED016F.40605@symas.com>
References: <53EC4832.5020005@une.edu.au> <6C447584419BFE4E83D46E88F8131486D2C731AA17@EXCH07-05.apollogrp.edu> <53ED016F.40605@symas.com>
Thread-index: Ac+37orMj7R9S9uvRkmDw1xMCAOQKAAARZCA
Thread-topic: CA and Intermediate Certificates

Per your link:
----
16.2.1.1. TLSCACertificateFile <filename>

This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.
----

I would add: "The entire available chain is sent to clients during TLS startup."

I don't see that being implied in there. Merely 'put the certs here, and intermediates must be too'.

My two cents as a non-developer, non-OpenLDAP contributor, sysadmin. :-)

- chris

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, August 14, 2014 11:35 AM
To: Chris Jacobs; Andrew Devenish-Meares; openldap-technical@openldap.org
Subject: Re: CA and Intermediate Certificates

Chris Jacobs wrote:
> Andrew,
>
> Put your intermediate cert and CA cert in the TLSCACertificateFile specified by your slapd.conf (or olsTLSCA... if using slapd.d).
>
> And the server will include the chain correctly automagically. :)
>
> Test via:
>      openssl s_client -connect [host]:636 -showcerts </dev/null
>
>>From that, you should see the chain.
>
> FWIW: I looked at the later mentioned FMs and Admin Guide and none
> seem
include the word 'chain' (except for chaining - a different topic), which is how I would look to see how to configure or verify the server will include the chain. The issue of chains is either not addressed or talked about in a way that isn't obvious or simply hard to find.

http://www.openldap.org/doc/admin24/tls.html
16.2.1.1 is pretty explicit.

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

References:
- CA and Intermediate Certificates
  - From: Andrew Devenish-Meares <adevenis@une.edu.au>
- RE: CA and Intermediate Certificates
  - From: Chris Jacobs <Chris.Jacobs@apollo.edu>
- Re: CA and Intermediate Certificates
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: CA and Intermediate Certificates
Next by Date: RE: CA and Intermediate Certificates
Index(es):
- Chronological
- Thread