>>> fredd fredddo <[email protected]> schrieb am 15.06.2022 um 19:46 in Nachricht <ca+ao1t7jrbwdgtukg4ypsb99h6q_ivt2mdlyy1bf5hv1bly...@mail.gmail.com>: > Hello, > > I have a problem understanding how cacert.pem works on openldap 2.4 under > centos. > > I have an extremely heterogeneous machine park (with openldap customers and > other owners) > > So I have 2 Certificates (CA and intermediate CA) self-signed with the > MD5withRSA algorithm and the same 2 certificates self-signed with the > SHA1withRSA algorithm.
I don't know what clients you are using, but out certificate from 2018 uses sha256WithRSAEncryption. It's likely that current clients don't accept weak certificates like MD5-based. > > The 4 certificates are therefore in the cacert.pem of the server and the > clients. (keystore) > > It works perfectly for old servers but for new ones I have to force the use > of TLS 1.1 because of the algorithms. > > I have two problems: > > If I just paste the 2 certificates in MD5 in the client keystore, it works, > but if I leave the 2 certificates in SHA1, it does not work (bad > certificate). I don't understand how openldap reads the file when there > are multiple choices . He starts with the first couple, if that doesn't > work he goes to the next one? If the client trusts the CA things should work "automagically". > > So the idea would be to generate 2 new certificates identical to the others > but with a SHA254 signature for example to work in TLS 1.2/1.3 and keep > ldap compatibility with old servers. How old is "old"? > > The cacert.pem file of the OpenLDAP server would therefore have 6 > certificates and the clients following their OS would have the appropriate > pair of certificates. Could this work? or for clients I leave the cacert > the same and it will choose what it needs to establish the TLS connection? Why would you use more than one certificate at all? > > I am a little lost ... > > best regards > Fred,
