On 04/13/2011 04:37 PM, Rich Megginson wrote:
Also post the output of
openssl x509 -in /path/to/the/server-cert.pem -text
# # openssl x509 -in /etc/openldap/cacerts/curri3-cert.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux,
CN=server.fdqn/[email protected]
Validity
Not Before: Apr 12 15:55:56 2011 GMT
Not After : Jan 6 15:55:56 2014 GMT
Subject: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux,
CN=client.fdqn/[email protected]
I notice that the format of the Issuer here does not match the format of
the Subject, but that may be just a difference in the way moznss and
openssl handle the "/emailAddress=...". You could confirm by doing
openssl x509 -in /path/to/cacert.pem -text
I don't know - I don't see anything obviously wrong here.
I'm just following the steps, I no longer know what to do, but I'm
afraid that I'm kind of stuck.
As the server is a rhel6 its openldap is compiled against openssl, the
clients are using openldap with moznss, so it looks like I'll be forced
to recompile everything to either moznss or openssl but it looks very
very complicated.
I will try to make the setup from fedora to fedora with certificates and
see if the tls communication is easier. if that works I think that I
will abandon the setup with rh, I can afford spending more time on this,
specially if you (that know a lot more than me) think that there's
nothing wrong..
If you think this is a problem with openldap+moznss (that is, if you can
get it to work with openldap+openssl), please file a bug/its.
if I can give it a try later on, I'll do it.
Thanks,
j
