Small correction: TLS_CACERT must be the certificate from a ROOT Certificate Authority or a Certificate Authority certification signed by a known parent CA. CAmeans "Certificate Authority". There can be multiple levels of Certificate
authority.
Every certificate has an Issuer (Certificate Authority) which signed the certificate, and, a Subject whose public key and other data is signedby the CA. If the certificate has the correct attributes, then, it can be
used to sign subordinate certificates.A certificate which has the same issuer and subject is a ROOT certificate
because there is no parent certificate. You might want to check if there is also a TLS_CACERTDIR directiveor similar which could still allow the client to locate the CA Certificate.
Owen On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:
proxy should not be able to >check the certificate sent by the backend ldap.TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem TLS_REQCERT demandMy issue is that the ssl connexion still works if i comment the line withTLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.and it should not because without this certificate authority my openldapTLS certificate verification: Error, self signed certificate in certificatechainbut it works with this error.You must have your root CA -> selfsigned after you create - CA and key for your LDAP server - CA anad key for client both CA(client,server) you must sign by your CA root certificate pozdr rafal
smime.p7s
Description: S/MIME cryptographic signature