[Fedora-directory-users] ssl client authentication
Michael Montgomery
mmontgomery at theplanet.com
Wed Nov 16 06:35:49 UTC 2005
conn=31 op=-1 fd=67 closed - Peer does not recognize and trust the CA
that issued your certificate.
I've been trying to get client authentication via ssl working for quite
a while now. I've tried generating my own CA via openssl, creating a
self-signed ssl cert, importing CA cert via the interface, converting
the client ssl to pkcs12 format, importing it via the interface, and
trying to run a 'ldapsearch' using the cert (non-pkcs12 format) on the
client machine but get the above error.
I've also tried clearing the whole DB, regenerating everything (CA cert,
and server client cert), and generating a client cert for a test machine
with this:
/serverRoot/shared/bin/certutil -S -n "hostname-Cert" -s
"cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1002 -v
120 -d . -z noise.txt -f pwdfile.txt
then running this:
'../shared/bin/certutil -L -d /opt/fedora-ds/alias/ -n "hostname-test-Cert"'
and putting that in a ssl cert file on the client, '/root/client.crt',
using this as an ldap.conf file:
host ***.***.***.***
base dc=test,dc=testdomain,dc=com
uri ldap://***.***.***.***
ldap_version 3
port 636
pam_filter objectclass=posixAccount
pam_login_attribute uid
ssl start_tls
ssl on
tls_cert /root/client.crt
pam_password md5
And testing again with ldapsearch.
But I still get the above error.
Does anyone have any ideas why this is happening, as I'm at a loss.
Thanks.
More information about the Fedora-directory-users
mailing list