Dieter Kluenter wrote:
Howard Chu hyc@symas.com writes:
Jelle de Jong wrote:
On 24/07/09 18:22, Dieter Kluenter wrote:
Jelle de Jongjelledejong@powercraft.nl writes:
Brian A. Seklecki wrote:
On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote: > Hello everybody,
[...]
Hi BAS, thank you for helping, I gathered some more information I hope it can help to see what is going on, I can't make anything from the debug output of the openldap server
The powercraft/nl-certificate is misssing the X509v3 Authority Key Identifier
So that was an answer I was not expecting :D. So I contacted the CACert.org people that are my root authority for my certs, and they indeed do not support X509v3. I am creating a feature bug for this at there bugtracker, however isn't there a way for openldap to not use the X509v3 extensions?
Pretty sure the extensions are not required. However, X.509v1 certs are more easily spoofed.
Yupp.
If a signing keyid is not required, are there other methods to describe and verify the certificate chain?
Yes, off course!
RFC 5280, section 4.1.2.4.:
Certificate users MUST be prepared to process the issuer distinguished name and subject distinguished name (Section 4.1.2.6) fields to perform name chaining for certification path validation (Section 6).
Ciao, Michael.