[389-users] Re: Peer's certificate issuer has been marked as not trusted by the user

Tue, 02 Apr 2019 11:41:10 -0700 

Believe that you may need the "T" trust setting on the CA certificate too:

certutil
-t trustargs
           Specify the trust attributes to modify in an existing certificate
           or to apply to a certificate when creating it or adding it to a
           database. There are three available trust categories for each
           certificate, expressed in the order SSL, email, object signing for
           each trust setting. In each category position, use none, any, or
           all of the attribute codes:

           ·   p - Valid peer

           ·   P - Trusted peer (implies p)

           ·   c - Valid CA

           ·   C - Trusted CA (implies c)

           ·   T - trusted CA for client authentication (ssl server only)

Steve Vandenburgh
LDAP Directory Services/Identity Management

-----Original Message-----
From: Eli <elish...@gmail.com>
Sent: Tuesday, April 2, 2019 11:41 AM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Peer's certificate issuer has been marked as not trusted 
by the user

Hello,

I am trying to setup a mutual based TLS authenticated 389-DS LDAP server, where 
the client and the server will perform certificate based authentication.
This should be test system and not a production system.

I have a Windows CA signed on the LDAP server certificate and the client 
certificate (.p12). The server has its the CA root and its own cert loaded:
[root@ldap2sit slapd-ldap2sit]# certutil -K -d .
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and 
Certificate Services"
< 0> rsa      90f72656c6c26fad75fbc5787105197301d76bab   Server-Cert
[root@ldap2sit slapd-ldap2sit]#
[root@ldap2sit slapd-ldap2sit]#
[root@ldap2sit slapd-ldap2sit]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
ca_cert                                                      C,,


I have a client defined in the LDAP:
uid=a47886b9fffc , cn=a47886b9fffc , o=Avaya , l=Holon, mail=eshmu...@avaya.com

The certificate I have on the client is:
Issued to: a47886b9fffc
Issued by: sititcdc  (which is the same CA signed the server certificate and 
its root in loaded to the server)
Issuer: cn=sititcdc,dc=sititc,dc=dom
Subject: e=eshmu...@avaya.com, cn=a47886b9fffc, ou=SIT, o=Avaya, L=Holon, 
S=Israel, C=IL

My /etc/dirsrv/ldap2sit/certmap.conf:
certmap ldap2sit        o=Avaya,l=Holon
ldap2sit:DNComps
ldap2sit:FilterComps    cn
ldap2sit:verifycert     on

When trying connecting I get connection failure with with following entries in 
/var/log/dirsrv/.../error:
[02/Apr/2019:20:33:11.096582067 +0300] conn=5 fd=64 slot=64 SSL connection from 
149.49.161.10 to 149.49.78.110
[02/Apr/2019:20:33:11.139068683 +0300] conn=5 Netscape Portable Runtime error 
-8172 (Peer's certificate issuer has been marked as not trusted by the user.); 
unauthenticated client 
E=eshmu...@avaya.com,CN=a47886b9fffc,OU=SIT,O=Avaya,L=Holon,ST=Israel,C=IL; 
issuer CN=sititcdc,DC=sititc,DC=dom
[02/Apr/2019:20:33:11.139131964 +0300] conn=5 op=-1 fd=64 closed - Peer's 
certificate issuer has been marked as not trusted by the user.

In wireshark trace I see the server is closing the TCP/TLS connection with 
alert (Level: Fatal, Description: Unknown CA)

Can you tell me what I am doing wrong here?

Thanks,
Eli
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send 
an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Reply via email to