Howard, I have read that and I have set a bundle of my Root/Child CA included with the TLSCACertificateFile directive.
My TLS configuration is as follows: TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem TLSCACertificateFile /etc/ldap/cacert-bundle.pem TLSCipherSuite HIGH:MEDIUM:+SSLV3 TLSVerifyClient never Anyway if I do not include the Child CA certificate in the appropriate stores at the client side the server certificate could not be verified. I have tried to get some more info with openssl (openssl s_client -connect hostname:636) and it returns that there are no client certificate CA names sent. Any suggestions? ~Cheers~ -----Original Message----- From: Howard Chu [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 18, 2007 11:38 PM To: Krasimir Ganchev Cc: openldap-software@openldap.org Subject: Re: Server Certificate Chain Read the Admin Guide, section 12.2.1.1. Krasimir Ganchev wrote: > Hello guys, > > > > I am using a globally recognized certificate with my openldap server > which is issued by a Child CA trusted by the Root CA of my certificate > provider. Is there any possible way to include the Child CA certificate > within the server certificate chain? > > > > The thing is that I have couple of windows based clients using my > openldap server and I can't make them verify the server certificate. The > Root CA is included in the trusted Root CAs Windows store, but since the > Child CA ain't there and doesn't appear in the certificate chain the > clients could not verify the server certificate and give up with an > error unless they are being configured to ignore errors. > > > > That's the reason why I would like to include the Child CA /Signing CA/ > certificate within the server certificate chain which will allow those > clients to confirm server's certificate and its signing CA certificate > against the trusted root CA. > > > > Is there any possible way to achieve that and is it up to configuration? -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/