I know this is quite an easy question for veteran of GNU TLS
But im really used to openssl and a week ago I didn’t know there was an
alternative to openssl
So Im trying to build a ldap proxy using openldap the proxy works fine until I
try to had TLS to it.
The only error I could gather is this one.
main: TLS init def ctx failed: -1
That’s when I realized Ubuntu compile openldap with gnutls not with openssl, so
I wanted to verify my certificate
to be sure gnutls can read and understand them.
I just need help verifying my certificate using certool.
I have been able to verify my CA cert
At first it didn’t work
certtool -e --infile certificate_chain.cer.pem
Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.
Chain verification output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown.
Then I read somewhere, don’t ask me where, that gnutls need the certificate in
the reverse order than openssl, so
I inverted the certificate order in the certificate_chain.cer.pem and it worked
certtool -e --infile certificate_chain.cer.pem.gnutls
Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
Intermediate CA 1
Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
But when I try to verify my server certificate, no matter what I do I was
unable to get a “Output: Verified. The certificate is trusted.”
certtool -e --infile p01ldp5001.cer.pem
--load-ca-certificate=certificate_chain.cer.pem.gnutls
|<1>| There was a non-CA certificate in the trusted list:
C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=p01ldp5001.services.local.
Loaded 1 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=p01ldp5001.services.local
Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
Intermediate CA 1
Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=p01ldp5001.services.local
Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
Intermediate CA 1
Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.
Chain verification output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown.
Can somone help me with that?
Is it my files that are not correct?
Am I using some parameter wrong?
Patrick Ouellet
[ligne]
Administrateur Linux
Operation
VPSI
[promutuel-assurance]
Groupe Promutuel
2000, boulevard Lebourgneuf, 4e étage, Québec (Québec) G2K 0B6
[tel] 418 840-1188, poste 2393 / 1 800 510-4630
[telec] 418 840-9900
promutuelassurance.ca<https://www.promutuelassurance.ca/>
Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas
le destinataire de ce message, veuillez le détruire après avoir informé
l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de
modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance
n'assume aucune responsabilité à l'égard du contenu des messages personnels
envoyés par ses employés.
If you need to print this document, please print it double-sided. If you are
not the intended recipient of this message, please notify the sender of the
error and destroy the message. Please further note that it is prohibited to
copy or modify any email without the author’s permission. Promutuel Insurance
accepts no liability whatsoever with regard to the content of personal messages
sent by its employees.
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
