Howard Chu <hyc(a)symas.com> writes:
Jelle de Jong wrote:
> On 24/07/09 18:22, Dieter Kluenter wrote:
>> Jelle de Jong<jelledejong(a)powercraft.nl> writes:
>>
>>> Brian A. Seklecki wrote:
>>>> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>>>>> Hello everybody,
>> [...]
>>> Hi BAS, thank you for helping, I gathered some more information I hope
>>> it can help to see what is going on, I can't make anything from the
>>> debug output of the openldap server
>>>
>>>
http://debian.pastebin.com/m56aaee1e
>>
>> The powercraft/nl-certificate is misssing the X509v3 Authority Key
>> Identifier
>
> So that was an answer I was not expecting :D. So I contacted the
>
CACert.org people that are my root authority for my certs, and they
> indeed do not support X509v3. I am creating a feature bug for this at
> there bugtracker, however isn't there a way for openldap to not use the
> X509v3 extensions?
Pretty sure the extensions are not required. However, X.509v1 certs
are more easily spoofed. At any rate, when linked with OpenSSL you
should be able to use any type of cert. Since you're on debian, and
probably using GnuTLS, I'm not so sure. GnuTLS is still mostly
unreliable, in my experience.
If a signing keyid is not required, are there other methods to
describe and verify the certificate chain?
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E