On 02/27/2012 09:14 AM, Aaron Bennett wrote:
-----Original Message-----
From: Rich Megginson [mailto:[email protected]]
Sent: Monday, February 27, 2012 10:57 AM
To: Aaron Bennett
Cc: [email protected]
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich, can you give me some more direction on how to verify that the
intermediate certificate is properly deployed?
On the client:
certutil -d /path/to/nss-cert-db-directory -L
--------------
Rich, you aren't getting what I'm asking...
If I run: "certutil -d /etc/openldap/nssdb/ -L " on the server, it works, and
if I try to connect to it from the server using the ldap clients (like ldapwhomi or
ldapsearch or whatever) it works.
But, the client is a different computer, in this case, a Windows 7 box running Apache
Directory Studio, or an ubuntu workstation running GnuTLS, or whatever, and they don't
work -- I get " TLS: peer cert untrusted or revoked (0x42)."
OK. I don't know how those clients configure their TLS settings. The
only think I know for sure is that you have to make sure each of those
clients has the entire CA cert chain for the CA that issued the LDAP
server cert.
