-----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Friday, February 24, 2012 4:37 PM To: [email protected] Cc: Rich Megginson; Aaron Bennett; [email protected] Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich Megginson wrote: > On 02/24/2012 01:31 PM, Aaron Bennett wrote: >> On other oddity about this is there are two boxes in play -- one's hostname >> is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are >> round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have >> installed on each box is for ds.clarku.edu. > Not sure how this works with openldap - the usual way to handle this > is to use subjectAltName so that the server's cert has > animal.clarku.edu zoot.clarku.edu and ds.clarku.edu That's already documented here: http://www.openldap.org/doc/admin24/tls.html Obviously there is a standard for it and we implement that spec. ----------- That's great -- and I understand, but the error I'm getting is "The issuer certificate is unknown" from Apache Directory Explorer and "TLS: peer cert untrusted or revoked (0x42)" from ldapwhoami. If the cert that's loaded into Mozilla NSS is for 'ds.clarku.edu' and the request is sent for 'ds.clarku.edu', how are animal and zoot coming into play? I'm happy to get a new cert with subjectAltName's as appropriate, but I'm concerned that the issue is an improperly loaded or missing intermediate certificate. Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed? Thanks for your time, Aaron
