On Wednesday, 7 July 2010 23:26:50 Chris Jacobs wrote:
Bryan,
The method of completing "Does openldap provide a mechanism that will accomplish the same thing (automatic client cert acceptance)?" is to have a real cert authority issue the cert.
That is not the only method, and there may be circumstances where a commercial CA is not suitable.
They're pretty nice about it even, at least if you give them money.
I /highly/ recommend you read up on SSL certs, differences between self-signed and purchased, etc.
All root CA certs are self-signed, the OP wasn't (necessarily) proposing self- signed certs. However, since he is not necessarily in control of the LDAP server configuration, his solution should cater to situations that may require the user of his solution to update the CA cert (e.g., commercial CA certificate rollover).
Here's a hint: Self-Signed aren't trusted anywhere. Most equipment, browsers, etc, come with a list of trusted providers.
And, most good devices, browsers etc. allow you to update/add CA certificates.
Regards, Buchan