[Fedora-directory-users] ssl client authentication
Thomas
nkwan at redhat.com
Wed Nov 16 15:51:28 UTC 2005
Several Problems.
#1 You said you have a self-signed ssl cert, and a self-signed (assumed)
CA cert
When you do ldapsearch (which is your SSL client), the directory server
(your SSL server) replies with the certificate chain which includes the
CA certificate, and the self-signed SSL certificate.
Then, the SSL client checks if the SSL certificate is signed by a
"trusted" CA.
Since you have a self-signed SSL certificate, you should have the SSL
certificate imported into your SSL client's security database, and it should
be marked as trusted (i.e -t "CT,CT,CT"). If this certificate is not marked
as trusted, the client (i.e Peer) will not "trust" the connection.
Another way to do this is to sign your SSL server certificate with your
self-signed CA certificate, and import your CA certificate into your SSL
client's security database. This approach is more generic and you dont
have to trust every single server certificate that is signed by the CA.
#2 You also have a self-signed client certificate
If your client certificate is self-signed, that mean you need to import the
client certificate into the server's security database, and mark it as
trusted. Otherwise, the server will not trust your client certificate and
the connection will not be established.
You may want to consider to sign your client certificate with your CA
certificate so that your client certificate will be trusted as long as you
have the CA certificate imported and trusted in the server's database.
thomas
Michael Montgomery wrote:
> conn=31 op=-1 fd=67 closed - Peer does not recognize and trust the CA
> that issued your certificate.
>
> I've been trying to get client authentication via ssl working for
> quite a while now. I've tried generating my own CA via openssl,
> creating a self-signed ssl cert, importing CA cert via the interface,
> converting the client ssl to pkcs12 format, importing it via the
> interface, and trying to run a 'ldapsearch' using the cert (non-pkcs12
> format) on the client machine but get the above error.
>
> I've also tried clearing the whole DB, regenerating everything (CA
> cert, and server client cert), and generating a client cert for a test
> machine with this:
>
> /serverRoot/shared/bin/certutil -S -n "hostname-Cert" -s
> "cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z
> noise.txt -f pwdfile.txt
>
> then running this:
>
> '../shared/bin/certutil -L -d /opt/fedora-ds/alias/ -n
> "hostname-test-Cert"'
>
> and putting that in a ssl cert file on the client, '/root/client.crt',
> using this as an ldap.conf file:
>
> host ***.***.***.***
> base dc=test,dc=testdomain,dc=com
> uri ldap://***.***.***.***
> ldap_version 3
> port 636
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> ssl start_tls
> ssl on
> tls_cert /root/client.crt
> pam_password md5
>
> And testing again with ldapsearch.
>
> But I still get the above error.
>
> Does anyone have any ideas why this is happening, as I'm at a loss.
>
> Thanks.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list