Thanks for replying. I was a bit occupied, so I could not back soon. Going
by your mail, I went through the certificate generation process again. What
I found is that for some reason, the cacert.pem file(which is the
certificate for the CA) shows the following -
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
I am attaching the steps I followed and the certificate files generated as
per the tutorial
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2.Shouldn't the above field be CA:true? Also, how do I make sure that the flag that you mentioned below gets set to "SSL server". Thanks, Sirisha. On Fri, May 28, 2010 at 11:44 PM, Brett @Google <[email protected]>wrote: > On Fri, May 28, 2010 at 9:39 AM, s g <[email protected]> wrote: > >> >>> javax.naming.CommunicationException: simple bind failed: >>> vcheung-181.lab.xxxx.net:636 [Root exception is >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: Netscape cert type does not >>> permit use for SSL server] >>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) >>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658) >>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287) >>> >> > You probably have your certs round the wrong way. The server cert (on the > ldap server) should have 'SSL Server' usage flag the client cert (on the > ldap client) should have 'SSL Client' usage flag. > > The usage flags are embedded when you make the csr (certificate request) > which will then usually be reflected in the generated certificate, unless > your CA overrides them. > > Do a "openssl x509 -in <cert file> -noout -text" to compare the two > certificates. > > Cheers > Brett >
[r...@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ...........................++++++ ...++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:SantaClara Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc Organizational Unit Name (eg, section) []:MyCompany Unit Common Name (eg, YOUR name) []:vcheung-181.lab.xxxx.net Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:secret An optional company name []: Using configuration from /usr/local/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:secret Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jun 9 20:15:18 2010 GMT Not After : Jun 8 20:15:18 2013 GMT Subject: countryName = US stateOrProvinceName = California organizationName = MyCompany Inc organizationalUnitName = MyCompany Unit commonName = vcheung-181.lab.xxxx.net emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Certificate is to be certified until Jun 8 20:15:18 2013 GMT (1095 days) Write out database with 1 new entries Data Base Updated [r...@vcheung-181 nextca]# [r...@vcheung-181 nextca]# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key .........++++++ ...................................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:SantaClara Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc Organizational Unit Name (eg, section) []:MyCompany Unit Common Name (eg, YOUR name) []:vcheung-181.lab.xxxx.net Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:secret An optional company name []: [r...@vcheung-181 nextca]# [r...@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -sign Using configuration from /usr/local/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 9 20:22:20 2010 GMT Not After : Jun 9 20:22:20 2011 GMT Subject: countryName = US stateOrProvinceName = California localityName = SantaClara organizationName = MyCompany Inc organizationalUnitName = MyCompany Unit commonName = vcheung-181.lab.xxxx.net emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:AB:B2:D2:2B:7F:DC:B7:DE:9F:F2:AF:B1:64:45:B0:24:B5:AD:10 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Certificate is to be certified until Jun 9 20:22:20 2011 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, O=MyCompany Inc, OU=MyCompany Unit, CN=vcheung-181.lab.xxxx.net/[email protected] Validity Not Before: Jun 9 20:22:20 2010 GMT Not After : Jun 9 20:22:20 2011 GMT Subject: C=US, ST=California, L=SantaClara, O=MyCompany Inc, OU=MyCompany Unit, CN=vcheung-181.lab.xxxx.net/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c1:3a:91:2c:16:9d:c1:70:43:bf:1e:7c:ac:5d: 00:af:15:9c:a8:1b:6c:37:53:c8:b7:a2:6f:68:e0: 2e:f3:c6:f9:ee:0c:d3:f3:90:4e:c2:68:a4:a1:d5: 0c:2b:2d:ac:11:48:d5:c1:2c:21:a9:ef:4e:69:e8: b5:9e:31:18:aa:99:b6:7e:1d:34:a2:4e:4d:e4:53: 50:44:7a:6a:ef:bf:d3:9d:fd:32:c1:af:d5:21:45: 80:cb:12:c5:8f:70:df:49:78:7d:1a:cf:6a:2e:cb: 6a:17:5f:86:71:c1:c5:d6:a3:da:63:7d:80:f6:f5: ce:12:5d:ad:2a:24:b9:66:a9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:AB:B2:D2:2B:7F:DC:B7:DE:9F:F2:AF:B1:64:45:B0:24:B5:AD:10 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Signature Algorithm: sha1WithRSAEncryption 01:ac:6f:e2:55:87:d1:20:9f:62:58:de:4b:6a:12:27:6e:22: fa:40:56:c3:5e:42:2b:f6:b1:68:95:c4:d1:6a:63:aa:4f:31: eb:f6:45:12:28:39:18:66:9d:f0:c9:f4:3f:c9:87:be:c4:e1: fb:71:99:12:f3:f3:c3:85:f2:d6:61:a8:51:f3:a7:e5:41:14: 48:a2:17:f7:28:f6:87:24:8f:76:ca:2c:52:a1:1b:de:81:12: e6:b5:80:83:09:89:ae:41:54:5a:59:d8:05:cc:3c:72:72:e3: 5f:22:1c:b3:1c:40:c0:7b:4c:bf:4e:45:43:6a:2c:41:83:31: 2f:2f -----BEGIN CERTIFICATE----- MIIDRjCCAq+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAoTDU15Q29tcGFueSBJbmMxFzAV BgNVBAsTDk15Q29tcGFueSBVbml0MSUwIwYDVQQDExx2Y2hldW5nLTE4MS5sYWIu cmVjb25uZXgubmV0MSMwIQYJKoZIhvcNAQkBFhRzaXJpc2gxNjE2QHlhaG9vLmNv bTAeFw0xMDA2MDkyMDIyMjBaFw0xMTA2MDkyMDIyMjBaMIG0MQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGFDbGFyYTEWMBQG A1UEChMNTXlDb21wYW55IEluYzEXMBUGA1UECxMOTXlDb21wYW55IFVuaXQxJTAj BgNVBAMTHHZjaGV1bmctMTgxLmxhYi5yZWNvbm5leC5uZXQxIzAhBgkqhkiG9w0B CQEWFHNpcmlzaDE2MTZAeWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDBOpEsFp3BcEO/HnysXQCvFZyoG2w3U8i3om9o4C7zxvnuDNPzkE7CaKSh 1QwrLawRSNXBLCGp705p6LWeMRiqmbZ+HTSiTk3kU1BEemrvv9Od/TLBr9UhRYDL EsWPcN9JeH0az2ouy2oXX4ZxwcXWo9pjfYD29c4SXa0qJLlmqQIDAQABo3sweTAJ BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0 aWZpY2F0ZTAdBgNVHQ4EFgQUxauy0it/3Lfen/KvsWRFsCS1rRAwHwYDVR0jBBgw FoAU8l0lrfBGlXHLPN2I2XeieayhS1cwDQYJKoZIhvcNAQEFBQADgYEAAaxv4lWH 0SCfYljeS2oSJ24i+kBWw15CK/axaJXE0Wpjqk8x6/ZFEig5GGad8Mn0P8mHvsTh +3GZEvPzw4Xy1mGoUfOn5UEUSKIX9yj2hySPdsosUqEb3oES5rWAgwmJrkFUWlnY Bcw8cnLjXyIcsxxAwHtMv05FQ2osQYMxLy8= -----END CERTIFICATE----- Signed certificate is in newcert.pem
serverkey.pem
Description: Binary data
cacert.pem
Description: Binary data
servercert.pem
Description: Binary data
