thank you for your help.
but i still don't understand why the ssl connection works without any CA in TLS_CACERT
whereas i put TLS_REQCERT "demand" ?
Message du 29/12/06 à 18h28
De : "Owen DeLong"
A : "Rafal (sxat)"
Copie à : openldap-software(a)openldap.org
Objet : Re: cetificate issue with ldaps
TLS_CACERT must be the certificate from a ROOT Certificate Authority or
a Certificate Authority certification signed by a known parent CA. CA
means "Certificate Authority". There can be multiple levels of
Every certificate has an Issuer (Certificate Authority) which signed the
certificate, and, a Subject whose public key and other data is signed
by the CA. If the certificate has the correct attributes, then, it
used to sign subordinate certificates.
A certificate which has the same issuer and subject is a ROOT
because there is no parent certificate.
You might want to check if there is also a TLS_CACERTDIR directive
or similar which could still allow the client to locate the CA
On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:
>> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
>> TLS_REQCERT demand
>> My issue is that the ssl connexion still works if i comment the
>> line with
>> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
>> and it should not because without this certificate authority my
> proxy should not be able to >check the certificate sent by the
> backend ldap.
>> TLS certificate verification: Error, self signed certificate in
>> but it works with this error.
> You must have your root CA -> selfsigned after you create
> - CA and key for your LDAP server
> - CA anad key for client
> both CA(client,server) you must sign by your CA root certificate
[ smime.p7s (2.8 Ko) ]