Re: Problem verifying self signed certificate

Mon, 05 Sep 2005 03:35:32 -0700 

Villy Kruse wrote:

On Sun, 4 Sep 2005, Kurt D. Zeilenga wrote:

At 08:45 AM 9/4/2005, Peter Marschall wrote:

AFAIK this is expected behaviour as you cannot use a self-signed server
certificate with openLDAP.

Have you examined the certificate at ldap.openldap.org?
It's a self-signed certificate.

A self signed certificate cannot be verified.  For that you will need
the certificate to be signed by a trusted CA.  However, a selfsigned
certificate can be used to establish an encrypted connection.
I don't believe that statement helps in any way to clarify the situation. A cert that is signed by a trusted CA is by definition *not* a self-signed cert. 


Note (again, and again, and again...) that "self-signed" does not mean 
"a certificate that I created by myself." It means "a certificate that 
was not signed by a separate certificate authority."



Ultimately every chain of trusted certs leads back to a self-signed 
cert, because no matter how many CAs are in the chain, ultimately 
there's a root level that has no superior to sign for it. That root 
level cert is necessarily self-signed. The point is that any client and 
server must be explicitly configured to trust a particular self-signed 
cert. For the OpenLDAP client that means you point the TLS_CACERT 
directive (see ldap.conf(5)) at a PEM file containing the self-signed 
cert. For the slapd server you use the corresponding 
TLSCACertificateFile directive. You must use these configuration 
directives if you want to accept a self-signed cert.



OpenLDAP works fine with certificates you create yourself. Whether you 
use a single self-signed cert for the server, or you create a 
self-signed CA cert and then use that to create and sign separate server 
certs doesn't matter; the code will work either way. But whichever way 
you choose, the cert you create that is self-signed *must* be configured 
on all of the clients and servers. That's true whether you create the 
certs, or whether you buy them from a commercial cert vendor. (Obviously 
for a vendor-supplied cert, you configure the vendor's CA cert.)


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/























					Reply via email to