Hey Peter,
On Fri, Mar 9, 2012 at 6:11 AM, Peter Hawkins <[email protected]>wrote:
> **
> [..]
>
> I checked this and found:
>
> # openssl x509 -noout -subject -issuer -startdate -enddate -purpose -in
> /usr/local/etc/openldap/certs/eLearningPublic.pem
>
>
> subject= /CN=mldshomdsp01.ce.xyz.com.au
> issuer= /CN=mldshomdsp01.ce.xyz.com.au
> notBefore=Nov 4 02:25:47 2011 GMT
> notAfter=Nov 2 02:25:47 2016 GMT
> Certificate purposes:
> SSL client : No
> SSL client CA : No
> SSL server : Yes
> SSL server CA : No
> Netscape SSL server : Yes
> Netscape SSL server CA : No
> S/MIME signing : No
> S/MIME signing CA : No
> S/MIME encryption : No
> S/MIME encryption CA : No
> CRL signing : No
> CRL signing CA : No
> Any Purpose : Yes
> Any Purpose CA : Yes
> OCSP helper : Yes
> OCSP helper CA : No
>
> I then created a cert on my unix box for comparison - all the purposes are
> YES
>
> Is this the problem?
>
>
Seems like it. I'd guess, those AD administrators wont want to exchange
their certificate?
While we certainly could start a discussion on how reasonable it is to
require a self-signed certificate to have a "Certificate Signing" extension
set, you might have two workarounds:
A) Tell OpenSSL to "trust" that self-signed certificate is a CA.
- I dont know, whether that is possible.
B) Disable the purpose check for CA certificates whithin the context of
your LDAP client.
- I dont know, whether that is possible, either.
If I remember correctly, your gnutls package verified the self-signed
certificate. So, linking your LDAP client with gnutls instead of openssl
might be an option, too.
Regards, Linus
