Per your link: ---- 16.2.1.1. TLSCACertificateFile <filename> This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant. ----
I would add: "The entire available chain is sent to clients during TLS startup." I don't see that being implied in there. Merely 'put the certs here, and intermediates must be too'. My two cents as a non-developer, non-OpenLDAP contributor, sysadmin. :-) - chris -----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Thursday, August 14, 2014 11:35 AM To: Chris Jacobs; Andrew Devenish-Meares; [email protected] Subject: Re: CA and Intermediate Certificates Chris Jacobs wrote: > Andrew, > > Put your intermediate cert and CA cert in the TLSCACertificateFile specified > by your slapd.conf (or olsTLSCA... if using slapd.d). > > And the server will include the chain correctly automagically. :) > > Test via: > openssl s_client -connect [host]:636 -showcerts </dev/null > >>From that, you should see the chain. > > FWIW: I looked at the later mentioned FMs and Admin Guide and none > seem include the word 'chain' (except for chaining - a different topic), which is how I would look to see how to configure or verify the server will include the chain. The issue of chains is either not addressed or talked about in a way that isn't obvious or simply hard to find. http://www.openldap.org/doc/admin24/tls.html 16.2.1.1 is pretty explicit. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
