Can you do a certutil -L -d <path to directory that holds cert8.db>
AFAIK it should have two entries like:
w2k3r2.win2003r2.home_1 P,,
w2k3r2.win2003r2.home_2 C,,
And when you do a certutil -L -n w2k3r2.win2003r2.home_1 -a -d <path to
directory that holds cert8.db> > w2k3r2.win2003r2.home_1.pem an then
openssl x509 -noout -text -in w2k3r2.win2003r2.home_1.pem gives something
like (e.g. a web server cert) (BTW You could also use certutil -L -n
w2k3r2.win2003r2.home_2 -d .
, but the output format is a little bit different):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
19:09:10:68:00:00:00:00:00:03
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=home, DC=win2003r2, CN=WIN2003R2CA
Validity
Not Before: Dec 23 15:42:41 2007 GMT
Not After : Dec 22 15:42:41 2009 GMT
Subject: C=GB, ST=London, L=London, O=HOME, OU=Markus,
CN=w2k3r2.win2003r2.home
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d9:88:3c:2b:cc:10:2e:eb:3b:16:22:9b:16:67:
03:aa:db:99:ae:e0:bc:1f:f0:b3:1f:0c:54:40:ce:
f5:98:da:4b:fe:fa:73:b2:95:b8:1f:57:45:65:8a:
d6:0a:de:4b:07:66:7d:3b:4e:c6:18:27:7b:ed:df:
83:f1:fe:6e:c2:40:2f:2c:d4:56:54:81:2b:4f:a3:
53:5e:3d:70:c9:55:4b:60:7c:71:60:02:25:ef:f7:
10:7e:27:0e:ad:ce:63:b2:1e:9e:ff:8e:11:0b:09:
37:13:05:d5:78:4a:1c:2e:89:45:94:61:82:b4:24:
0f:e7:3e:c3:49:0c:fe:5f:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...+....0050...*.H..
..*.H..
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
76:BA:CE:31:70:93:CF:AC:01:AE:60:FD:92:63:E6:F3:00:C6:10:B0
X509v3 Authority Key Identifier:
keyid:6D:85:85:27:F2:82:D7:1D:1F:48:D4:9A:46:31:A6:26:A1:44:1D:01
X509v3 CRL Distribution Points:
URI:ldap:///CN=WIN2003R2CA,CN=w2k3r2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2003r2,DC=home?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://w2k3r2.win2003r2.home/CertEnroll/WIN2003R2CA.crl
Authority Information Access:
CA Issuers -
URI:ldap:///CN=WIN2003R2CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2003r2,DC=home?cACertificate?base?objectClass=certificationAuthority
CA Issuers -
URI:http://w2k3r2.win2003r2.home/CertEnroll/w2k3r2.win2003r2.home_WIN2003R2CA.crt
1.3.6.1.4.1.311.20.2:
...W.e.b.S.e.r.v.e.r
Signature Algorithm: sha1WithRSAEncryption
36:df:2c:8d:df:e6:0a:fc:53:88:92:f8:ee:b1:6c:8e:03:bc:
26:68:15:2c:e1:01:04:e3:a4:53:72:da:c8:d7:d1:3c:9e:77:
d1:b0:87:72:2f:e6:94:5b:7c:3b:c1:d6:bd:c9:da:89:c5:87:
7a:d7:08:1f:7d:45:e5:51:d0:c0:14:1c:71:3d:79:c7:f6:71:
50:f7:b4:07:d5:7d:c8:28:01:0e:94:cd:d2:03:2b:5a:18:85:
a0:a3:ff:62:2c:c0:c3:19:48:c2:e3:1e:cd:12:df:d8:cf:60:
c1:44:bd:03:cb:4b:d9:be:a3:69:ec:16:5c:ba:f8:93:09:44:
ac:22:8b:5a:03:21:2e:12:a7:e6:a3:7d:be:dc:08:ee:f8:4f:
6e:60:df:c0:1b:99:12:e3:e7:d1:ae:05:27:e1:7a:6e:36:a4:
8a:9c:77:e4:fb:1b:f6:7d:26:f8:c8:54:21:c7:da:3a:68:d6:
72:14:b1:6f:1e:25:f8:16:ba:40:85:e0:b8:40:70:7f:33:c1:
b4:64:8d:be:10:b8:be:0c:2c:3c:0d:ea:2f:6a:b3:1b:17:73:
6d:05:1b:78:1f:f5:f5:c6:8b:6b:4c:3f:aa:97:7e:36:0f:56:
1c:40:50:1a:20:bd:50:44:02:81:2d:bd:6e:30:dc:0f:0b:0b:
d4:94:36:5c
and for the second entry certutil -L -n w2k3r2.win2003r2.home_2 -a -d <path
to directory that holds cert8.db> > w2k3r2.win2003r2.home_2.pem an then
openssl x509 -noout -text -in w2k3r2.win2003r2.home_2.pem gives something
like (e.g. a CA cert (see Basic constraints)):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:7e:a4:6a:8e:17:e9:a2:45:08:7c:f1:9d:d5:a0:88
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=home, DC=win2003r2, CN=WIN2003R2CA
Validity
Not Before: Dec 21 21:15:39 2007 GMT
Not After : Dec 21 21:24:07 2012 GMT
Subject: DC=home, DC=win2003r2, CN=WIN2003R2CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:90:69:da:03:24:b7:f7:6a:c4:00:8c:de:0a:89:
25:a1:fd:9d:55:30:fd:a6:d0:b4:dd:c2:fa:6f:8d:
bf:6a:ce:0a:bf:81:90:af:fb:15:dd:67:ca:68:b2:
7f:63:8b:a4:ef:e9:d2:37:0f:c1:a3:5f:bf:dc:e1:
7c:c5:8b:c8:36:fa:c9:e9:b6:e2:ce:7d:cd:6f:b4:
17:4b:b0:08:7f:c2:b8:14:eb:0c:4a:39:b3:bb:c7:
6d:19:40:62:98:21:73:67:08:70:dc:32:c7:b5:05:
60:d6:ac:1a:45:50:cf:4c:37:a2:94:91:29:56:33:
3a:52:4c:74:be:57:4a:1c:1f:f5:d6:54:0f:1d:c5:
49:fc:9e:13:16:5d:11:a2:8f:47:64:ad:d2:c1:f4:
81:ce:66:c0:e8:9e:12:8b:8f:f6:5e:65:e8:2a:a4:
24:42:4e:22:eb:d5:bc:ee:53:9f:ac:86:66:24:2c:
ac:f8:9a:05:6c:df:c8:72:48:a9:75:47:86:cb:31:
df:08:7f:94:7d:be:63:4d:ea:9d:93:5a:84:ac:f3:
ff:36:43:39:c3:76:53:98:01:29:a5:7e:54:f6:bc:
07:7a:de:d5:ae:c1:7b:8f:9b:0d:83:43:6d:b5:90:
dc:e3:8c:e9:88:cb:88:29:40:cc:1d:96:29:07:3a:
6c:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6D:85:85:27:F2:82:D7:1D:1F:48:D4:9A:46:31:A6:26:A1:44:1D:01
X509v3 CRL Distribution Points:
URI:ldap:///CN=WIN2003R2CA,CN=w2k3r2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2003r2,DC=home?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://w2k3r2.win2003r2.home/CertEnroll/WIN2003R2CA.crl
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
05:cf:15:b5:a5:79:70:7f:4c:72:3d:8b:60:88:9f:48:b6:fe:
74:1a:f3:e8:35:88:47:2e:83:18:56:18:ec:2a:3d:fb:3f:c7:
34:d1:51:ad:2c:3f:1f:c1:14:e4:41:af:b2:b7:03:3e:6c:d3:
84:4e:a0:80:fc:f1:a8:70:81:d7:2e:67:e7:f1:2c:38:fc:77:
81:c5:9f:46:f9:88:62:81:7e:80:11:32:f1:ac:0f:72:e5:0a:
be:6e:f3:7e:57:bb:68:ad:4d:f5:37:fc:74:f8:00:71:61:27:
e2:a4:32:5f:b3:14:27:fc:d3:50:e1:21:ce:67:e3:5f:eb:07:
04:62:5c:88:57:a9:fb:0d:a5:e4:da:ae:43:97:20:5f:e3:50:
e7:61:1e:7e:10:ac:d5:e9:87:59:ae:17:e9:c5:dc:1c:34:91:
3a:44:94:3c:e2:67:da:26:54:d2:2d:ad:e8:e9:e4:f9:53:f9:
88:dc:a7:1b:6a:eb:de:28:6e:c2:2e:dd:6d:ca:ee:1e:37:4a:
bb:8f:95:d8:9e:e0:dd:27:9a:28:94:0c:8a:c4:47:e9:98:df:
71:ad:9d:2a:12:f7:c4:cc:d5:de:c8:5f:61:b9:26:bb:25:db:
be:3e:23:94:d5:83:fc:3b:93:43:68:7f:7b:51:5e:77:b0:ac:
3e:5f:4d:65
Regards
Markus
"Kashif Ali Siddiqui" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi,
>
> I am facing a very serious problem. I am currently unable to get a
> successful LDAP bind over SSL. The LDAP server is Windows AD server with
> SSL enabled on default 636 port. The libraries I use is
>
> * Mozilla c-sdk 6.0.3
> * NSPR 4.6.4
> * NSS 3.11.4
>
> Here is the sequence of calls I made ...
>
> 1. ldap_set_option ( NULL, LDAP_OPT_SSL, LDAP_OPT_ON )
> 2. ldapssl_client_init ( <path to directory that holds cert8.db>, NULL)
> 3. ld = ldapssl_init( <server ip address>, <server port>, 1 )
> 4. ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void*)&version)
> 5. ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timeout )
> 6. ldap_set_option(ld, LDAP_OPT_SIZELIMIT, (void *)&maxEntitiesLimit )
> 7. ldap_set_option(ld, LDAP_OPT_RECONNECT, LDAP_OPT_ON )
> 8. ldap_simple_bind_s(ld, <user dn>, <user passwd>)
>
> The return values from calls 1 to 7 are all LDAP_SUCCESS, whereas the
> return value of call#8 returns LDAP_SERVER_DOWN. Although the server is up
> and running with SSL enabled, and why the error is returning. I have also
> check the settings (server-ip, port, user-dn, user-passwd) using a
> third-party ldap tool, Softera LDAP Administrator, and it works fine,
> confirming that there is some issue either in Mozilla LDAP libraries or in
> my code.
>
> Please help me resolve this issue.
>
> Kashif Ali Siddiqui
>
>
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
