[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Antw: Re: TLSCACertificateFile directive and multiple CA certificates
On Thu, May 18 2017 at 20:17:16 +0900, Alexandre Rosenberg scribbled
in "Re: Antw: Re: TLSCACertificateFile directive and multiple CA certificates":
> Hello,
>
> I test and the issue only happen if 2 CA have the same DN.
> I regenerated the new CA with a different DN and it's working.
>
> As I am mentioned I am not sure what the proper behavior of
> OpenLDAP/OpenSSL should be in case 2 CA have the same DN.
>
> I am not sure I misunderstanding what TLSCACertificateFile is used
> for. The main use it to let OpenLDAP though which CA if should trust
> when validating certificate. That is clearly what is in the doc.
>
> Best,
>
> Alex
Hi Alex,
Glad you got it working.
I think the proper behaviour would be to not have 2 CAs with the same
DN, as the first-match-wins. As the DN is used to identify the issuer
of the certificate you're attempting to authenticate, it would make
little sense to have a naming collision.
I realise the docs say that order doesn't matter, but that assumes
that all included certificates would have clearly distinguished
subject names (hence "DN").
Cheers.
Dameon.
--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Systems Development and Support
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><