michael@stroeder.com wrote:
sca+openldap@andreasschulze.de wrote:
as discussed on the technical ML it's uncommon to put chain certificates in TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to /TRUST/ that intermediate for a unrelated purpose.
We should be more precise here - especially regarding the term "user".
IMO it is common to put the whole CA cert chain in the cert configuration of a TLS server. This is required so that the TLS *client* only has to know the root CA cert (trust anchor) and the TLS server sends the intermediate certs. Note that some TLS implementations like GnuTLS require the CA cert chain to be "in order" (bottom-up).
The real issue here is that TLSCACertificateFile and TLSCACertificatePath are also used to specify the set of trusted CA certs to validate TLS client certs used by the TLS client to authenticate.
It's pretty much unheard of for an LDAP server to trust TLS client certs issued by a CA different from the LDAP server's own CA. Since client certs are usually issued only to allow authentication, an LDAP server will only trust its own CA to issue identities to clients.