On Tue, 24 Apr 2007, Jean-Claude wrote: ...
With SSL, I check all my certificates (Root CA and LDAP certificate) and renew all of them, successless. Always the same error message.
Althought all seems OK about certificates.
# openssl x509 -in LDAPserver-cert.pem -text -noout
...
Netscape Cert Type: Object Signing
The certificate has a "Netscape Cert Type" field, but that field doesn't include the "SSL Server" flag. Your certificate creation setup needs to be corrected and a new certificate created. To quote the "X509 CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:
SSL Server The extended key usage extension must be absent or include the "web server authentication" and/or one of the SGC OIDs. keyUsage must be absent or it must have the digitalSignature set, the keyEncipherment set, or both bits set. Netscape certificate type must be absent or have the SSL server bit set.
Philip Guenther Sendmail, Inc.