Hi Linus Thanks for sticking with me on this...
>openssl x509 -noout -text -in activedir.pem >and compare that to your "eLearningPublic.pem". OK I did that and directed each to a file. Diff says the files are identical. I also now have some information from the client about the DN, but I'm starting to learn a bit from reading forums. Meanwhile I tried this: # openssl verify -verbose -issuer_checks /usr/local/etc/openldap/certs/eLearningPublic.pem /usr/local/etc/openldap/certs/eLearningPublic.pem: /CN=mldshomdsp01.ce.xyz.com.au error 32 at 0 depth lookup:key usage does not include certificate signing /CN=mldshomdsp01.ce.xyz.com.au error 32 at 0 depth lookup:key usage does not include certificate signing /CN=mldshomdsp01.ce.xyz.com.au error 32 at 0 depth lookup:key usage does not include certificate signing /CN=mldshomdsp01.ce.xyz.com.au error 32 at 0 depth lookup:key usage does not include certificate signing /CN=mldshomdsp01.ce.xyz.com.au error 20 at 0 depth lookup:unable to get local issuer certificate When I googled that error I found that it looks like openldap doesn't like the certificate having the wrong purpose. (http://www.mail-archive.com/[email protected]/msg56755.html) I checked this and found: # openssl x509 -noout -subject -issuer -startdate -enddate -purpose -in /usr/local/etc/openldap/certs/eLearningPublic.pem subject= /CN=mldshomdsp01.ce.xyz.com.au issuer= /CN=mldshomdsp01.ce.xyz.com.au notBefore=Nov 4 02:25:47 2011 GMT notAfter=Nov 2 02:25:47 2016 GMT Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No I then created a cert on my unix box for comparison - all the purposes are YES Is this the problem?
