I know this is quite an easy question for veteran of GNU TLS
But im really used to openssl and a week ago I didn’t know there was an 
alternative to openssl

So Im trying to build a ldap proxy using openldap the proxy works fine until I 
try to had TLS to it.

The only error I could gather is this one.

main: TLS init def ctx failed: -1

That’s when I realized Ubuntu compile openldap with gnutls not with openssl, so 
I wanted to verify my certificate
to be sure gnutls can read and understand them.

I just need help verifying my certificate using certool.

I have been able to verify my CA cert

At first it didn’t work

certtool -e --infile certificate_chain.cer.pem
Loaded 2 certificates, 1 CAs and 0 CRLs

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=Promutuel HWS Root CA
        Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=Promutuel HWS Root CA
        Output: Not verified. The certificate is NOT trusted. The certificate 
issuer is unknown.

Chain verification output: Not verified. The certificate is NOT trusted. The 
certificate issuer is unknown.

Then I read somewhere, don’t ask me where, that gnutls need the certificate in 
the reverse order than openssl, so
I inverted the certificate order in the certificate_chain.cer.pem and it worked

certtool -e --infile certificate_chain.cer.pem.gnutls
Loaded 2 certificates, 1 CAs and 0 CRLs

        Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS 
Intermediate CA 1
        Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=Promutuel HWS Root CA
        Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=Promutuel HWS Root CA
        Output: Verified. The certificate is trusted.

Chain verification output: Verified. The certificate is trusted.

But when I try to verify my server certificate, no matter what I do I was 
unable to get a “Output: Verified. The certificate is trusted.”

certtool -e --infile p01ldp5001.cer.pem 
--load-ca-certificate=certificate_chain.cer.pem.gnutls
|<1>| There was a non-CA certificate in the trusted list: 
C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=p01ldp5001.services.local.
Loaded 1 certificates, 1 CAs and 0 CRLs

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=p01ldp5001.services.local
        Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS 
Intermediate CA 1
        Output: Not verified. The certificate is NOT trusted. The certificate 
issuer is unknown.

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel 
CES,OU=Operations,CN=p01ldp5001.services.local
        Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS 
Intermediate CA 1
        Output: Not verified. The certificate is NOT trusted. The certificate 
issuer is unknown.

Chain verification output: Not verified. The certificate is NOT trusted. The 
certificate issuer is unknown.

Can somone help me with that?
Is it my files that are not correct?
Am I using some parameter wrong?


Patrick Ouellet
[ligne]
Administrateur Linux
Operation
VPSI
[promutuel-assurance]
Groupe Promutuel
2000, boulevard Lebourgneuf, 4e étage, Québec (Québec)  G2K 0B6
[tel]  418 840-1188, poste 2393  /  1 800 510-4630
[telec]  418 840-9900
promutuelassurance.ca<https://www.promutuelassurance.ca/>


Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas 
le destinataire de ce message, veuillez le détruire après avoir informé 
l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de 
modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance 
n'assume aucune responsabilité à l'égard du contenu des messages personnels 
envoyés par ses employés.

If you need to print this document, please print it double-sided. If you are 
not the intended recipient of this message, please notify the sender of the 
error and destroy the message. Please further note that it is prohibited to 
copy or modify any email without the author’s permission. Promutuel Insurance 
accepts no liability whatsoever with regard to the content of personal messages 
sent by its employees.
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Reply via email to