cacert.pem selfsigned certificate problem
Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Tue, Nov 23, 2004, Florin Angelescu wrote: > Hello > I am trying to set up an ssl acces to ldap > following http://www.openldap.org/faq/data/cache/185.html > > i created my ca > and signed the certificates for the server and client > but i still get a 'self signed error' > i checked and i saw that it was because of cacert.pem which is selfsigned > > question : how to solve this ??? > (do i have to sign the CA certificate by another CA ? and how ? ) > thank you very much Firstly I'd suggest you use CA.pl instead of CA.sh which is older. What is giving you the error? If its a client then you'd need to include a command line switch or configuration option telling it to include 'cacert.pem' in its trusted list of CAs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: > On Tue, Nov 23, 2004, Florin Angelescu wrote: > > Hello > > I am trying to set up an ssl acces to ldap > > following http://www.openldap.org/faq/data/cache/185.html > > > > i created my ca > > and signed the certificates for the server and client > > but i still get a 'self signed error' > > i checked and i saw that it was because of cacert.pem which is selfsigned > > > > question : how to solve this ??? > > (do i have to sign the CA certificate by another CA ? and how ? ) > > thank you very much > > Firstly I'd suggest you use CA.pl instead of CA.sh which is older. > > What is giving you the error? If its a client then you'd need to include a > command line switch or configuration option telling it to include > 'cacert.pem' in its trusted list of CAs. > > Steve. > -- Thank you for answering. The error is given by ldapsearch ( and ldap.conf & sldap.conf are well configured). The error is also reported by openssl. "self signed certificate in certification chain" (the CA certificate) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wed, Nov 24, 2004, Florin Angelescu wrote: > On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: > > On Tue, Nov 23, 2004, Florin Angelescu wrote: > > > Hello > > > I am trying to set up an ssl acces to ldap > > > following http://www.openldap.org/faq/data/cache/185.html > > > > > > i created my ca > > > and signed the certificates for the server and client > > > but i still get a 'self signed error' > > > i checked and i saw that it was because of cacert.pem which is selfsigned > > > > > > question : how to solve this ??? > > > (do i have to sign the CA certificate by another CA ? and how ? ) > > > thank you very much > > > > Firstly I'd suggest you use CA.pl instead of CA.sh which is older. > > > > What is giving you the error? If its a client then you'd need to include a > > command line switch or configuration option telling it to include > > 'cacert.pem' in its trusted list of CAs. > > > > Steve. > > -- > Thank you for answering. > The error is given by ldapsearch ( and ldap.conf & sldap.conf are well > configured). > The error is also reported by openssl. > "self signed certificate in certification chain" > (the CA certificate) > The problem is not that you have a self signed CA it is that the software doesn't trust it. The configuration or command line options should provide a means of specifying a file or directory containing trusted CAs. You should change them to include 'cacert.pem'. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wednesday 24 November 2004 11:44, Dr. Stephen Henson wrote: > On Wed, Nov 24, 2004, Florin Angelescu wrote: > > On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: > > > On Tue, Nov 23, 2004, Florin Angelescu wrote: > > > > Hello > > > > I am trying to set up an ssl acces to ldap > > > > following http://www.openldap.org/faq/data/cache/185.html > > > > > > > > i created my ca > > > > and signed the certificates for the server and client > > > > but i still get a 'self signed error' > > > > i checked and i saw that it was because of cacert.pem which is > > > > selfsigned > > > > > > > > question : how to solve this ??? > > > > (do i have to sign the CA certificate by another CA ? and how ? ) > > > > thank you very much > > > > > > Firstly I'd suggest you use CA.pl instead of CA.sh which is older. > > > > > > What is giving you the error? If its a client then you'd need to > > > include a command line switch or configuration option telling it to > > > include 'cacert.pem' in its trusted list of CAs. > > > > > > Steve. > > > -- > > > > Thank you for answering. > > The error is given by ldapsearch ( and ldap.conf & sldap.conf are well > > configured). > > The error is also reported by openssl. > > "self signed certificate in certification chain" > > (the CA certificate) > > The problem is not that you have a self signed CA it is that the software > doesn't trust it. The configuration or command line options should provide > a means of specifying a file or directory containing trusted CAs. You > should change them to include 'cacert.pem'. > > Steve. i used CA.pl -newcert i thought it does everything for me here is what i got ldap misc # openssl verify demoCA/cacert.pem demoCA/cacert.pem: /C=BE/ST=BEGLIUM/L=BRUSSELS/O=CAAMI_CA1/OU=CCI/CN=CAAMI_CA1/[EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate OK __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wed, Nov 24, 2004, Florin Angelescu wrote: > On Wednesday 24 November 2004 11:44, Dr. Stephen Henson wrote: > > On Wed, Nov 24, 2004, Florin Angelescu wrote: > > > On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: > > > > On Tue, Nov 23, 2004, Florin Angelescu wrote: > > > > > Hello > > > > > I am trying to set up an ssl acces to ldap > > > > > following http://www.openldap.org/faq/data/cache/185.html > > > > > > > > > > i created my ca > > > > > and signed the certificates for the server and client > > > > > but i still get a 'self signed error' > > > > > i checked and i saw that it was because of cacert.pem which is > > > > > selfsigned > > > > > > > > > > question : how to solve this ??? > > > > > (do i have to sign the CA certificate by another CA ? and how ? ) > > > > > thank you very much > > > > > > > > Firstly I'd suggest you use CA.pl instead of CA.sh which is older. > > > > > > > > What is giving you the error? If its a client then you'd need to > > > > include a command line switch or configuration option telling it to > > > > include 'cacert.pem' in its trusted list of CAs. > > > > > > > > Steve. > > > > -- > > > > > > Thank you for answering. > > > The error is given by ldapsearch ( and ldap.conf & sldap.conf are well > > > configured). > > > The error is also reported by openssl. > > > "self signed certificate in certification chain" > > > (the CA certificate) > > > > The problem is not that you have a self signed CA it is that the software > > doesn't trust it. The configuration or command line options should provide > > a means of specifying a file or directory containing trusted CAs. You > > should change them to include 'cacert.pem'. > > > > Steve. > i used CA.pl -newcert > i thought it does everything for me > here is what i got > > ldap misc # openssl verify demoCA/cacert.pem > demoCA/cacert.pem: > /C=BE/ST=BEGLIUM/L=BRUSSELS/O=CAAMI_CA1/OU=CCI/CN=CAAMI_CA1/[EMAIL PROTECTED] > error 18 at 0 depth lookup:self signed certificate > OK > If you do: openssl verify -CAfile demoCA/cacert.pem demoCA/cacert.pem or openssl verify -CAfile demoCA/cacert.pem newcert.pem (or whatever the server certificate is called) it should the be OK. If OpenSSL just trusted any certificate created by CA.pl then anyone could create a certificate that your system would trust and that would be a rather large security hole. So you have to tell the OpenSSL applications which CAs they should trust. That's what the -CAfile command line option above is doing. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wed, Nov 24, 2004, Florin Angelescu wrote: > On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: > > On Tue, Nov 23, 2004, Florin Angelescu wrote: > > > Hello > > > I am trying to set up an ssl acces to ldap > > > following http://www.openldap.org/faq/data/cache/185.html > > > > > > i created my ca > > > and signed the certificates for the server and client > > > but i still get a 'self signed error' > > > i checked and i saw that it was because of cacert.pem which is selfsigned > > > > > > question : how to solve this ??? > > > (do i have to sign the CA certificate by another CA ? and how ? ) > > > thank you very much > > > > Firstly I'd suggest you use CA.pl instead of CA.sh which is older. > > > > What is giving you the error? If its a client then you'd need to include a > > command line switch or configuration option telling it to include > > 'cacert.pem' in its trusted list of CAs. > > > > Steve. > > -- > Thank you for answering. > The error is given by ldapsearch ( and ldap.conf & sldap.conf are well > configured). > The error is also reported by openssl. > "self signed certificate in certification chain" > (the CA certificate) > The manual pages to ldapsearch don't include a command line option to add trusted CAs but it looks like there's a configuration file option in the system wide ldap.conf or the local .ldaprc file. I suggest you add an entry saying: TLS_CACERT /path/to/cacert.pem where /path/to/cacert.pem is wherever you've placed cacert.pem. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
