[Fedora-directory-users] FDS & Red Hat Certificate System

Richard Megginson rmeggins at redhat.com
Wed Mar 29 22:23:26 UTC 2006 

George Holbert wrote:
>>
>> ...to automatically hand out CA certs to ldap clients upon request?
>
> There is no standard mechanism for this.  You have to manually copy CA 
> certs to the location and in the format that each of your secure LDAP 
> client apps expects.
>
>
>> yea but what about ldap clients?  AFAIK no ldap client implicitly 
>> trusts verisign or anything like
>> that.  So, even if I do get a real CA cert, will a plain vanilla FC4 
>> install trust it?  I'm
>> guessing no....?
>
> RedHat Linux in the past has come with a bundle of well-known CA certs 
> in /usr/share/ssl/cert.pem.  I haven't used FC4, but I'm guessing it 
> has this too?
>
> You would still need to configure LDAP client apps to know about this 
> file.
> Using PADL's pam_ldap/nss_ldap as an example, you would need to add:
> tls_cacertfile /usr/share/ssl/cert.pem
> ...to /etc/ldap.conf.
In Fedora Core 5 this is in /etc/pki/tls/cert.pem:
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from certdata.txt RCS revision 1.37
#
.....

>
>
>
>
> Susan wrote:
>> --- Richard Megginson <rmeggins at redhat.com> wrote:
>>
>>  
>>> Susan wrote:
>>>    
>>>> Hi, everyone.  I think this subject has been briefly raised before 
>>>> but I've more questions.
>>>>
>>>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
>>>>         
>>> Yes.  You go to the RHCS web interface, click "Get CA Cert Chain", 
>>> and you can download or copy/paste the CA cert for use with client 
>>> apps (or importing into your web browser or email program or etc.).  
>>> This assumes you are using RHCS as your CA.
>>>     
>>
>> well, I'm speaking strictly of ldap clients.  Browsers I don't care 
>> about.
>>
>>
>>  
>>>> Has anybody done this?
>>>>         
>>> We used this extensively at Netscape.
>>>     
>>
>> to automatically hand out CA certs to ldap clients upon request?
>>
>>  
>>>> Right now no certs are
>>>> deployed on the clients, we're using them only for SSL traffic 
>>>> encryption.         
>>> Do you mean client cert auth?
>>>     
>>
>> well, no.  We don't care whether the clients misrepresent 
>> themselves.  We care if the FDS
>> misrepresents itself.
>>
>>  
>>> CA certs or client certs?  For the CA cert problem, AFAIK, there is 
>>> no way around it - you have to configure your clients to trust your 
>>> CA one way or another.  You can mitigate this somewhat by going 
>>> through the process of getting a real CA cert from one of the 
>>> trusted root CAs listed in your web browser or email client.
>>>     
>>
>> yea but what about ldap clients?  AFAIK no ldap client implicitly 
>> trusts verisign or anything like
>> that.  So, even if I do get a real CA cert, will a plain vanilla FC4 
>> install trust it?  I'm
>> guessing no....?
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around 
>> http://mail.yahoo.com
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>   
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060329/229fe122/attachment.bin>

More information about the Fedora-directory-users mailing list