Hi, Karsten Römke <[EMAIL PROTECTED]> writes: > Dieter Kluenter schrieb: >> Karsten Römke <[EMAIL PROTECTED]> writes: >> >>> Dieter Kluenter schrieb: >>>> Quanah Gibson-Mount <[EMAIL PROTECTED]> writes: >>>> >>>>> --On Wednesday, August 23, 2006 8:18 PM +0200 Karsten Römke >>>>> <[EMAIL PROTECTED]> wrote: [...]
>>> oracle:/etc/openldap # openssl x509 -in servercrt.pem -text >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> Serial Number: 2 (0x2) >>> Signature Algorithm: md5WithRSAEncryption >>> Issuer: C=DE, ST=NRW, L=Bonn, O=hhb, OU=it, >>> CN=oracle.hhb.bonn.de/[EMAIL PROTECTED] >>> Validity >>> Not Before: Aug 23 14:38:15 2006 GMT >>> Not After : Aug 18 14:38:15 2026 GMT >>> Subject: C=DE, ST=NRW, L=bonn, O=hhb, OU=it, >>> CN=oracle.hhb.bonn.de/[EMAIL PROTECTED] >>> Subject Public Key Info: >> [...] >>> X509v3 Subject Key Identifier: >>> 1C:78:8F:7C:76:75:2A:8E:EE:DD:8A:C0:AA:A7:AE:96:D8:38:79:84 >>> X509v3 Authority Key Identifier: >>> >>> keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF >>> >>> DirName:/C=DE/ST=NRW/L=Bonn/O=hhb/OU=it/CN=oracle.hhb.bonn.de/[EMAIL >>> PROTECTED] >> >> The common name of your host is 'oracle.hhb.bonn.de' This address is >> checked and validated by clients, that is 'localhost' or any other >> alias adress is not a valid adress anymore, unless you have declared a >> subject alternate name for this cn. >> Please check the keyid of X509v3 Authority Key Identifier with your >> cacert.pem [...] > Hi Dieter, I havn't time today to look for the problem. > What do you mean with the sentence >> Please check the keyid of X509v3 Authority Key Identifier with your >> cacert.pem > sorry, if the question is stupid but I never looked in the details > of openssl - and up to now it wasn't neccessary :-) The value of X509v3 Authority Key Identifier keyid in your servercert.pem is identical to the value in your cacert.pem, it is a proof of the correct cacert, if the value differs you have signed your servercert with the wrong cacert. > I've read, that I have to set the common name to my fqdn (of the server) > but I don't understand the reason. What means: checked and validated by > the clients? - must the name resolv to an ip or what means validated? A searchstring contains a hostname, i.e. ldpsearch -H ldap://my.host.mydomain in any configuration file you define a ldap host. This hostname is checked against the CN of a certificate, if these don't match, the searchstring is not valid. A good dictionary will give you more information on validation. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
