RE: Mozilla NSS -- how to deploy intermediate certificate

Mon, 27 Feb 2012 12:19:17 -0800 

Since this is now the top hit for "openldap Mozilla nss intermediate 
certificate," here's what I ended up doing:

[rant] First of all, I sincerely hate Mozilla NSS.  I don't understand why RH 
decided to building OpenLdap against it.[/rant]

There, that aside, I noticed in the excellent FAQ  at 
http://www.openldap.org/faq/data/cache/1514.html that "If you previously used 
OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS 
settings specified in your configuration files, those settings should work 
exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to 
read those settings, files, etc. and apply them in the same way."  So, I went 
to ole-reliable /etc/tls/certs and generated a key and csr, put the key in 
/etc/tls/private, and put the signed cert in /etc/tls/certs.  I also put the 
geotrust intermediate cert in /etc/tls/certs as well, and then changed 
cn=config to read:

olcTLSCACertificateFile: /etc/pki/tls/certs/geotrust-intermediate.crt
olcTLSCACertificatePath: /etc/pki/tls/certs
olcTLSCertificateFile: /etc/pki/tls/certs/ds.clarku.edu.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ds.clarku.edu.key

Happy TLS'ing everyone.


-          Aaron

From: [email protected] 
[mailto:[email protected]] On Behalf Of Aaron Bennett
Sent: Friday, February 24, 2012 1:15 PM
To: [email protected]
Subject: Mozilla NSS -- how to deploy intermediate certificate

Hello,

I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built 
against Mozilla NSS.  In OpenSSL world, I'd use -- I think -- 
TLSCACertificateFile /path/to/CA-certificates.  Here's what I've tried:

Download GeoTrust cert from 
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
 ; save as intermediate.crt

Import with:

# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i  
intermediate.crt

Certutil -L now shows:

# certutil -d /etc/openldap/nssdb/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

geotrust-intermediate                                        ,,
ds.clarku.edu                                                Pu,Pu,Pu


cn=config looks like this:

olcTLSCACertificateFile: geotrust-intermediate
olcTLSCACertificatePath: /etc/openldap/nssdb
olcTLSCertificateFile: ds.clarku.edu

But still clients cannot verify the cert.

Any Mozilla NSS guru's know what I'm going wrong?

Thanks,

Aaron

Reply via email to