[Fedora-directory-users] FDS & Red Hat Certificate System
Richard Megginson
rmeggins at redhat.com
Wed Mar 29 22:23:26 UTC 2006
George Holbert wrote:
>>
>> ...to automatically hand out CA certs to ldap clients upon request?
>
> There is no standard mechanism for this. You have to manually copy CA
> certs to the location and in the format that each of your secure LDAP
> client apps expects.
>
>
>> yea but what about ldap clients? AFAIK no ldap client implicitly
>> trusts verisign or anything like
>> that. So, even if I do get a real CA cert, will a plain vanilla FC4
>> install trust it? I'm
>> guessing no....?
>
> RedHat Linux in the past has come with a bundle of well-known CA certs
> in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it
> has this too?
>
> You would still need to configure LDAP client apps to know about this
> file.
> Using PADL's pam_ldap/nss_ldap as an example, you would need to add:
> tls_cacertfile /usr/share/ssl/cert.pem
> ...to /etc/ldap.conf.
In Fedora Core 5 this is in /etc/pki/tls/cert.pem:
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from certdata.txt RCS revision 1.37
#
.....
>
>
>
>
> Susan wrote:
>> --- Richard Megginson <rmeggins at redhat.com> wrote:
>>
>>
>>> Susan wrote:
>>>
>>>> Hi, everyone. I think this subject has been briefly raised before
>>>> but I've more questions.
>>>>
>>>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
>>>>
>>> Yes. You go to the RHCS web interface, click "Get CA Cert Chain",
>>> and you can download or copy/paste the CA cert for use with client
>>> apps (or importing into your web browser or email program or etc.).
>>> This assumes you are using RHCS as your CA.
>>>
>>
>> well, I'm speaking strictly of ldap clients. Browsers I don't care
>> about.
>>
>>
>>
>>>> Has anybody done this?
>>>>
>>> We used this extensively at Netscape.
>>>
>>
>> to automatically hand out CA certs to ldap clients upon request?
>>
>>
>>>> Right now no certs are
>>>> deployed on the clients, we're using them only for SSL traffic
>>>> encryption.
>>> Do you mean client cert auth?
>>>
>>
>> well, no. We don't care whether the clients misrepresent
>> themselves. We care if the FDS
>> misrepresents itself.
>>
>>
>>> CA certs or client certs? For the CA cert problem, AFAIK, there is
>>> no way around it - you have to configure your clients to trust your
>>> CA one way or another. You can mitigate this somewhat by going
>>> through the process of getting a real CA cert from one of the
>>> trusted root CAs listed in your web browser or email client.
>>>
>>
>> yea but what about ldap clients? AFAIK no ldap client implicitly
>> trusts verisign or anything like
>> that. So, even if I do get a real CA cert, will a plain vanilla FC4
>> install trust it? I'm
>> guessing no....?
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060329/229fe122/attachment.bin>
More information about the Fedora-directory-users
mailing list