Howard Chu <[email protected]> writes: > Jelle de Jong wrote: >> On 24/07/09 18:22, Dieter Kluenter wrote: >>> Jelle de Jong<[email protected]> writes: >>> >>>> Brian A. Seklecki wrote: >>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote: >>>>>> Hello everybody, >>> [...] >>>> Hi BAS, thank you for helping, I gathered some more information I hope >>>> it can help to see what is going on, I can't make anything from the >>>> debug output of the openldap server >>>> >>>> http://debian.pastebin.com/m56aaee1e >>> >>> The powercraft/nl-certificate is misssing the X509v3 Authority Key >>> Identifier
>> >> So that was an answer I was not expecting :D. So I contacted the >> CACert.org people that are my root authority for my certs, and they >> indeed do not support X509v3. I am creating a feature bug for this at >> there bugtracker, however isn't there a way for openldap to not use the >> X509v3 extensions? > > Pretty sure the extensions are not required. However, X.509v1 certs > are more easily spoofed. At any rate, when linked with OpenSSL you > should be able to use any type of cert. Since you're on debian, and > probably using GnuTLS, I'm not so sure. GnuTLS is still mostly > unreliable, in my experience. If a signing keyid is not required, are there other methods to describe and verify the certificate chain? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
