Chris Jacobs wrote:
Andrew,
Put your intermediate cert and CA cert in the TLSCACertificateFile specified by
your slapd.conf (or olsTLSCA... if using slapd.d).
And the server will include the chain correctly automagically. :)
Test via:
openssl s_client -connect [host]:636 -showcerts </dev/null
From that, you should see the chain.
FWIW: I looked at the later mentioned FMs and Admin Guide and none seem
include the word 'chain' (except for chaining - a different topic), which is
how I would look to see how to configure or verify the server will include the
chain. The issue of chains is either not addressed or talked about in a way
that isn't obvious or simply hard to find.
http://www.openldap.org/doc/admin24/tls.html
16.2.1.1 is pretty explicit.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
