Howard,
I have read that and I have set a bundle of my Root/Child CA included with the TLSCACertificateFile directive.
My TLS configuration is as follows:
TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem TLSCACertificateFile /etc/ldap/cacert-bundle.pem TLSCipherSuite HIGH:MEDIUM:+SSLV3 TLSVerifyClient never
Anyway if I do not include the Child CA certificate in the appropriate stores at the client side the server certificate could not be verified.
I have tried to get some more info with openssl (openssl s_client -connect hostname:636) and it returns that there are no client certificate CA names sent.
Any suggestions?
~Cheers~
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Wednesday, April 18, 2007 11:38 PM To: Krasimir Ganchev Cc: openldap-software@openldap.org Subject: Re: Server Certificate Chain
Read the Admin Guide, section 12.2.1.1.
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?