On Wed, Nov 24, 2004, Florin Angelescu wrote: > On Wednesday 24 November 2004 11:44, Dr. Stephen Henson wrote: > > On Wed, Nov 24, 2004, Florin Angelescu wrote: > > > On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: > > > > On Tue, Nov 23, 2004, Florin Angelescu wrote: > > > > > Hello > > > > > I am trying to set up an ssl acces to ldap > > > > > following http://www.openldap.org/faq/data/cache/185.html > > > > > > > > > > i created my ca > > > > > and signed the certificates for the server and client > > > > > but i still get a 'self signed error' > > > > > i checked and i saw that it was because of cacert.pem which is > > > > > selfsigned > > > > > > > > > > question : how to solve this ??? > > > > > (do i have to sign the CA certificate by another CA ? and how ? ) > > > > > thank you very much > > > > > > > > Firstly I'd suggest you use CA.pl instead of CA.sh which is older. > > > > > > > > What is giving you the error? If its a client then you'd need to > > > > include a command line switch or configuration option telling it to > > > > include 'cacert.pem' in its trusted list of CAs. > > > > > > > > Steve. > > > > -- > > > > > > Thank you for answering. > > > The error is given by ldapsearch ( and ldap.conf & sldap.conf are well > > > configured). > > > The error is also reported by openssl. > > > "self signed certificate in certification chain" > > > (the CA certificate) > > > > The problem is not that you have a self signed CA it is that the software > > doesn't trust it. The configuration or command line options should provide > > a means of specifying a file or directory containing trusted CAs. You > > should change them to include 'cacert.pem'. > > > > Steve. > i used CA.pl -newcert > i thought it does everything for me .... > here is what i got > > ldap misc # openssl verify demoCA/cacert.pem > demoCA/cacert.pem: > /C=BE/ST=BEGLIUM/L=BRUSSELS/O=CAAMI_CA1/OU=CCI/CN=CAAMI_CA1/[EMAIL PROTECTED] > error 18 at 0 depth lookup:self signed certificate > OK >
If you do: openssl verify -CAfile demoCA/cacert.pem demoCA/cacert.pem or openssl verify -CAfile demoCA/cacert.pem newcert.pem (or whatever the server certificate is called) it should the be OK. If OpenSSL just trusted any certificate created by CA.pl then anyone could create a certificate that your system would trust and that would be a rather large security hole. So you have to tell the OpenSSL applications which CAs they should trust. That's what the -CAfile command line option above is doing. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
