-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, February 24, 2012 4:37 PM To: richm@stanfordalumni.org Cc: Rich Megginson; Aaron Bennett; openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich Megginson wrote:
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
That's already documented here: http://www.openldap.org/doc/admin24/tls.html
Obviously there is a standard for it and we implement that spec. -----------
That's great -- and I understand, but the error I'm getting is "The issuer certificate is unknown" from Apache Directory Explorer and "TLS: peer cert untrusted or revoked (0x42)" from ldapwhoami. If the cert that's loaded into Mozilla NSS is for 'ds.clarku.edu' and the request is sent for 'ds.clarku.edu', how are animal and zoot coming into play? I'm happy to get a new cert with subjectAltName's as appropriate, but I'm concerned that the issue is an improperly loaded or missing intermediate certificate.
Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
Thanks for your time,
Aaron