Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
Any help is appreciated!
All my best,
Krasimir Ganchev
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
I have file (on Linux) /etc/ssl/certs/trivore-ca-bundle.crt, which looks like
# The Trivore 4096 rootCA certificate: -----BEGIN CERTIFICATE----- MIIGhjCCBG6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJGSTEW ...deleted... aumDU+F7CFlUMZllhTLmiAYN14j7chcClbHfREhopXPTtVb5EyJ6EQK+ -----END CERTIFICATE----- # ... # The Trivore 4096 CA 01 certificate: -----BEGIN CERTIFICATE----- MIIGqDCCBJCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGSTEW ...deleted... Dyc4ZHUjqXz/n/CQjWBCwKPxF3fwci7UZuly9g== -----END CERTIFICATE-----
..and then in the slapd.conf:
TLSCACertificateFile /etc/ssl/certs/trivore-ca-bundle.crt TLSCertificateFile /etc/ssl/certs/hostname.crt TLSCertificateKeyFile /etc/ssl/private/hostname.key TLSCipherSuite HIGH
among other lines.
hostname.crt is created by CA01 during certification process.
Just having appropriate/relevant lines in ldap.conf makes the client work nicely with the server.
Same goes, if you import the rootCA and subordinateCA (CA01) to your Windows box. There is a separate slot on Windows for root and intermediate/subordinate CAs. ...but that goes outside the scope of this list.
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
Any help is appreciated!
Did it help?
All my best,
Krasimir Ganchev
//Kari Mattsson
Kari,
I have already tried adding my Root/Child certificate bundle via TLSCACertificateFile but it doesn't make any difference and according to the documentation the directive only specifies certificates for CA's that slapd will trust.
The other thing which I have tried was adding the Child /subordinate/ CA certificate right after the Server certificate in TLFCertificateFile which also didn't lead to any success.
Of course I could always add the Child CA certificate to all of the Windows machine stores and evrything would work just fine, but that's not the whole idea of paying for trusted certificate.
I would like to be able to specify the server certificate chain just like I've done that with SSLCertificateChainFile in apache2 for example.
~Cheers~
On 4/18/07, Kari Mattsson kari@trivore.com wrote:
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
I have file (on Linux) /etc/ssl/certs/trivore-ca-bundle.crt, which looks like
# The Trivore 4096 rootCA certificate: -----BEGIN CERTIFICATE----- MIIGhjCCBG6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJGSTEW ...deleted... aumDU+F7CFlUMZllhTLmiAYN14j7chcClbHfREhopXPTtVb5EyJ6EQK+ -----END CERTIFICATE----- # ... # The Trivore 4096 CA 01 certificate: -----BEGIN CERTIFICATE----- MIIGqDCCBJCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGSTEW ...deleted... Dyc4ZHUjqXz/n/CQjWBCwKPxF3fwci7UZuly9g== -----END CERTIFICATE-----
..and then in the slapd.conf:
TLSCACertificateFile /etc/ssl/certs/trivore-ca-bundle.crt TLSCertificateFile /etc/ssl/certs/hostname.crt TLSCertificateKeyFile /etc/ssl/private/hostname.key TLSCipherSuite HIGH
among other lines.
hostname.crt is created by CA01 during certification process.
Just having appropriate/relevant lines in ldap.conf makes the client work nicely with the server.
Same goes, if you import the rootCA and subordinateCA (CA01) to your Windows box. There is a separate slot on Windows for root and intermediate/subordinate CAs. ...but that goes outside the scope of this list.
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
Any help is appreciated!
Did it help?
All my best,
Krasimir Ganchev
//Kari Mattsson
Krasimir Ganchev wrote:
Kari,
I have already tried adding my Root/Child certificate bundle via TLSCACertificateFile but it doesn't make any difference and according to the documentation the directive only specifies certificates for CA's that slapd will trust.
Yes, it will to exactly, and only that.
The other thing which I have tried was adding the Child /subordinate/ CA certificate right after the Server certificate in TLFCertificateFile which also didn't lead to any success.
You have to do that, if you have a chained server certificate. TLSCACertificatefile requires the rootCA, and subordinate/intermediate CA certificates as shown below in my example.
You need these to get from the root to the server certificate/private (TLSCertificateFile/TLSCertificateKeyFile parameters). That will do it for OpenLDAP. On Windows side, it is totally another game.
Of course I could always add the Child CA certificate to all of the Windows machine stores and evrything would work just fine, but that's not the whole idea of paying for trusted certificate.
Krasmir, it is just THAT what you will have to do, if you have a chained server certificate.
It is not that diffucult:
certmgr.exe -add rootCAcert.der -s -r localMachine root certmgr.exe -add CA01cert.der -s -r localMachine CA
Then you have both in proper places on Windoze.
I would like to be able to specify the server certificate chain just like I've done that with SSLCertificateChainFile in apache2 for example.
You can. I already mailed an example file, and example slapd.conf lines.
~Cheers~
On 4/18/07, *Kari Mattsson* <kari@trivore.com mailto:kari@trivore.com> wrote:
Krasimir Ganchev wrote: > Hello guys, > > > > I am using a globally recognized certificate with my openldap server > which is issued by a Child CA trusted by the Root CA of my > certificate provider. Is there any possible way to include the Child > CA certificate within the server certificate chain? I have file (on Linux) /etc/ssl/certs/trivore- ca-bundle.crt, which looks like # The Trivore 4096 rootCA certificate: -----BEGIN CERTIFICATE----- MIIGhjCCBG6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJGSTEW ...deleted... aumDU+F7CFlUMZllhTLmiAYN14j7chcClbHfREhopXPTtVb5EyJ6EQK+ -----END CERTIFICATE----- # ... # The Trivore 4096 CA 01 certificate: -----BEGIN CERTIFICATE----- MIIGqDCCBJCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGSTEW ...deleted... Dyc4ZHUjqXz/n/CQjWBCwKPxF3fwci7UZuly9g== -----END CERTIFICATE----- ..and then in the slapd.conf: TLSCACertificateFile /etc/ssl/certs/trivore-ca-bundle.crt TLSCertificateFile /etc/ssl/certs/hostname.crt TLSCertificateKeyFile /etc/ssl/private/hostname.key TLSCipherSuite HIGH among other lines. hostname.crt is created by CA01 during certification process. Just having appropriate/relevant lines in ldap.conf makes the client work nicely with the server. Same goes, if you import the rootCA and subordinateCA (CA01) to your Windows box. There is a separate slot on Windows for root and intermediate/subordinate CAs. ...but that goes outside the scope of this list. > The thing is that I have couple of windows based clients using my > openldap server and I can't make them verify the server certificate. > The Root CA is included in the trusted Root CAs Windows store, but > since the Child CA ain't there and doesn't appear in the certificate > chain the clients could not verify the server certificate and give up > with an error unless they are being configured to ignore errors. > > > > That's the reason why I would like to include the Child CA /Signing > CA/ certificate within the server certificate chain which will allow > those clients to confirm server's certificate and its signing CA > certificate against the trusted root CA. > > > > Is there any possible way to achieve that and is it up to > configuration? > > > > Any help is appreciated! Did it help? > All my best, > > Krasimir Ganchev //Kari Mattsson
Terveisin/With kind regards/Med hälsningar/Lugupidamisega,
Kari Mattsson Trivore Corp.
Read the Admin Guide, section 12.2.1.1.
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
Howard,
I have read that and I have set a bundle of my Root/Child CA included with the TLSCACertificateFile directive.
My TLS configuration is as follows:
TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem TLSCACertificateFile /etc/ldap/cacert-bundle.pem TLSCipherSuite HIGH:MEDIUM:+SSLV3 TLSVerifyClient never
Anyway if I do not include the Child CA certificate in the appropriate stores at the client side the server certificate could not be verified.
I have tried to get some more info with openssl (openssl s_client -connect hostname:636) and it returns that there are no client certificate CA names sent.
Any suggestions?
~Cheers~
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Wednesday, April 18, 2007 11:38 PM To: Krasimir Ganchev Cc: openldap-software@openldap.org Subject: Re: Server Certificate Chain
Read the Admin Guide, section 12.2.1.1.
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
The server needs to be able to generate the full certificate chain during the SSL conversation such that the final cert is signed by something in the ca certificate store in use by the client. This means that in addition to the intermediate CA that is the issuer of your server cert, your slapd needs to have the other CAs in the chain as well. Sticking the intermediate certs at the end of the cacert-bundle file should work.
You can confirm that your ca cert bundle is adequate by doing openssl verify -CAfile /etc/ldap/cacert-bundle.pem /etc/ldap/servercrt.pem
If that doesn't succeed in verifying servercrt.pem then cacert-bundle.pem doesn't have the right stuff in it. If cacert-bundle.pem is good, then openssl s_client -verify 2 -connect hostname:636 should show you the trust chain one element at a time with the (s)ubject and (i)ssuer at each step. If you have more than one intermediate CA then you would specify a number higher than '2'. The final cert in the chain should be the real root CA and be self-signed as indicated by the subject and issuer being the same. If that cert is in the client CA cert bundle then you should be good to go. If it isn't, then either your clients need to be upgraded or your CA is lousy.
On Thu, 19 Apr 2007, Krasimir Ganchev wrote:
Howard,
I have read that and I have set a bundle of my Root/Child CA included with the TLSCACertificateFile directive.
My TLS configuration is as follows:
TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem TLSCACertificateFile /etc/ldap/cacert-bundle.pem TLSCipherSuite HIGH:MEDIUM:+SSLV3 TLSVerifyClient never
Anyway if I do not include the Child CA certificate in the appropriate stores at the client side the server certificate could not be verified.
I have tried to get some more info with openssl (openssl s_client -connect hostname:636) and it returns that there are no client certificate CA names sent.
Any suggestions?
~Cheers~
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Wednesday, April 18, 2007 11:38 PM To: Krasimir Ganchev Cc: openldap-software@openldap.org Subject: Re: Server Certificate Chain
Read the Admin Guide, section 12.2.1.1.
Krasimir Ganchev wrote:
Hello guys,
I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain?
The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-software@openldap.org
-
Eric Irrgang -
Howard Chu -
Kari Mattsson -
Kari Mattsson -
Krasimir Ganchev