The server needs to be able to generate the full certificate chain during
the SSL conversation such that the final cert is signed by something in
the ca certificate store in use by the client. This means that in
addition to the intermediate CA that is the issuer of your server cert,
your slapd needs to have the other CAs in the chain as well. Sticking the
intermediate certs at the end of the cacert-bundle file should work.
You can confirm that your ca cert bundle is adequate by doing
openssl verify -CAfile /etc/ldap/cacert-bundle.pem /etc/ldap/servercrt.pem
If that doesn't succeed in verifying servercrt.pem then cacert-bundle.pem
doesn't have the right stuff in it. If cacert-bundle.pem is good, then
openssl s_client -verify 2 -connect hostname:636
should show you the trust chain one element at a time with the
(s)ubject and (i)ssuer at each step. If you have more than one
intermediate CA then you would specify a number higher than '2'. The
final cert in the chain should be the real root CA and be self-signed as
indicated by the subject and issuer being the same. If that cert is in
the client CA cert bundle then you should be good to go. If it isn't,
then either your clients need to be upgraded or your CA is lousy.
On Thu, 19 Apr 2007, Krasimir Ganchev wrote:
Howard,
I have read that and I have set a bundle of my Root/Child CA included with
the TLSCACertificateFile directive.
My TLS configuration is as follows:
TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
TLSCACertificateFile /etc/ldap/cacert-bundle.pem
TLSCipherSuite HIGH:MEDIUM:+SSLV3
TLSVerifyClient never
Anyway if I do not include the Child CA certificate in the appropriate
stores at the client side the server certificate could not be verified.
I have tried to get some more info with openssl (openssl s_client -connect
hostname:636) and it returns that there are no client certificate CA names
sent.
Any suggestions?
~Cheers~
-----Original Message-----
From: Howard Chu [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 18, 2007 11:38 PM
To: Krasimir Ganchev
Cc: openldap-software@openldap.org
Subject: Re: Server Certificate Chain
Read the Admin Guide, section 12.2.1.1.
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server
which is issued by a Child CA trusted by the Root CA of my certificate
provider. Is there any possible way to include the Child CA certificate
within the server certificate chain?
The thing is that I have couple of windows based clients using my
openldap server and I can't make them verify the server certificate. The
Root CA is included in the trusted Root CAs Windows store, but since the
Child CA ain't there and doesn't appear in the certificate chain the
clients could not verify the server certificate and give up with an
error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/
certificate within the server certificate chain which will allow those
clients to confirm server's certificate and its signing CA certificate
against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342