Since this is now the top hit for “openldap Mozilla nss intermediate certificate,” here’s what I ended up doing:

 

[rant] First of all, I sincerely hate Mozilla NSS.  I don’t understand why RH decided to building OpenLdap against it.[/rant]

 

There, that aside, I noticed in the excellent FAQ  at http://www.openldap.org/faq/data/cache/1514.html that “If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way.”  So, I went to ole-reliable /etc/tls/certs and generated a key and csr, put the key in /etc/tls/private, and put the signed cert in /etc/tls/certs.  I also put the geotrust intermediate cert in /etc/tls/certs as well, and then changed cn=config to read:

 

olcTLSCACertificateFile: /etc/pki/tls/certs/geotrust-intermediate.crt

olcTLSCACertificatePath: /etc/pki/tls/certs

olcTLSCertificateFile: /etc/pki/tls/certs/ds.clarku.edu.crt

olcTLSCertificateKeyFile: /etc/pki/tls/private/ds.clarku.edu.key

 

Happy TLS’ing everyone.

 

-          Aaron

 

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett
Sent: Friday, February 24, 2012 1:15 PM
To: openldap-technical@openldap.org
Subject: Mozilla NSS -- how to deploy intermediate certificate

 

Hello,

 

I need to publish the GeoTrust intermediate certificate; I’m using 2.4.29 built against Mozilla NSS.  In OpenSSL world, I’d use -- I think -- TLSCACertificateFile /path/to/CA-certificates.  Here’s what I’ve tried:

 

Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt

 

Import with:

 

# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i  intermediate.crt

 

Certutil -L now shows:

 

# certutil -d /etc/openldap/nssdb/ -L

 

Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI

 

geotrust-intermediate                                        ,,  

ds.clarku.edu                                                Pu,Pu,Pu

 

 

cn=config looks like this:

 

olcTLSCACertificateFile: geotrust-intermediate

olcTLSCACertificatePath: /etc/openldap/nssdb

olcTLSCertificateFile: ds.clarku.edu

 

But still clients cannot verify the cert.

 

Any Mozilla NSS guru’s know what I’m going wrong?

 

Thanks,

 

Aaron