thank you for your help.

but i still don't understand why the ssl connection works without any CA in TLS_CACERT  whereas i put TLS_REQCERT "demand" ?

Thomas

> Message du 29/12/06 à 18h28
> De : "Owen DeLong"
> A : "Rafal (sxat)"
> Copie à : openldap-software@openldap.org
> Objet : Re: cetificate issue with ldaps
>
> Small correction:
>
> TLS_CACERT must be the certificate from a ROOT Certificate Authority or
> a Certificate Authority certification signed by a known parent CA. CA
> means "Certificate Authority". There can be multiple levels of
> Certificate
> authority.
>
> Every certificate has an Issuer (Certificate Authority) which signed the
> certificate, and, a Subject whose public key and other data is signed
> by the CA. If the certificate has the correct attributes, then, it
> can be
> used to sign subordinate certificates.
>
> A certificate which has the same issuer and subject is a ROOT
> certificate
> because there is no parent certificate.
>
> You might want to check if there is also a TLS_CACERTDIR directive
> or similar which could still allow the client to locate the CA
> Certificate.
>
> Owen
>
> On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:
>
> >> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
> >> TLS_REQCERT demand
> >> My issue is that the ssl connexion still works if i comment the
> >> line with
> >> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
> >> and it should not because without this certificate authority my
> >> openldap
> > proxy should not be able to >check the certificate sent by the
> > backend ldap.
> >> TLS certificate verification: Error, self signed certificate in
> >> certificate
> > chain
> >> but it works with this error.
> >
> > You must have your root CA -> selfsigned after you create
> > - CA and key for your LDAP server
> > - CA anad key for client
> >
> > both CA(client,server) you must sign by your CA root certificate
> >
> > pozdr
> > rafal
> >
>
> >
> [ smime.p7s (2.8 Ko) ]