Not sure if this is an openldap issue but have to examine everything we can.
We revised our nss certificate store as part of addressing the expiration of our root cert.
It now has two certs, the end service cert and the intermediate. Basic client operations (ldapsearch) work fine; using -d1 shows that the appropriate service certificate is loaded and the the search is successful.
But if we run an 'openssl s_client -showcerts' against the host and port 636, we continue to see the expired root certificate even though it's not in the nss store configured chain. This is causing issues for some applications (mainly java based) so we're just trying to understand where the expired root would be coming from if it's not in the openldap server configuration.
Thanks,
Peter
relevant bits: #slapd.conf # TLS/ssl TLSCACertificatePath /etc/openldap/certs TLSCertificateFile DirectoryLdap
#sudo certutil -d /etc/openldap/certs -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
intermediate-2024 ,, PennGroupsLdap
#sudo certutil -d /etc/openldap/certs -L -n PennGroupsLdap Certificate: Data: Version: 3 (0x2) Serial Number: 2b:27:6c:70:ac:b4:5c:3d:11:05:17:d9:15:59:24:af Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbo r,ST=MI,C=US" Validity: Not Before: Tue Feb 05 00:00:00 2019 Not After : Thu Feb 04 23:59:59 2021 Subject: "CN=penngroups-dev.net.isc.upenn.edu,OU=ISC: N&T - NES - Ide ntity and Access Management (IAM),O=University of Pennsylvania,ST REET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=U S" *snip* #sudo certutil -d /etc/openldap/certs -L -n intermediate-2024 Certificate: Data: Version: 3 (0x2) Serial Number: 47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74 Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Issuer: "CN=USERTrust RSA Certification Authority,O=The USERTRUST Net work,L=Jersey City,ST=New Jersey,C=US" Validity: Not Before: Mon Oct 06 00:00:00 2014 Not After : Sat Oct 05 23:59:59 2024 Subject: "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arb or,ST=MI,C=US" *snip*
gather the openssl s_client info; why are 4 certs (depth 0->3) presented instead of the expected 2 (dept h0->1)?
#openssl s_client -host localhost -port 636 -showcerts 2>local.certs >> local.certs
#grep -A1 "s:" local.certs 0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access Management (IAM)/CN=penngroups-dev.net.isc.upenn.edu i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA -- 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority -- 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -- 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access Management (IAM)/CN=penngroups-dev.net.isc.upenn.edu i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA -- 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority -- 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -- 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root