Am 11.04.19 um 13:35 schrieb Mark Cairney:
Hello Mark,
However based on our understanding of how SSL works we should only actually need the intermediate(s) in there as the client should have the root and then compare the intermediate provided by the server and only trust it if it can use this in conjunction with it's copy of the root certificate to complete the chain of trust.
Based on this we configure our web servers to only have the intermediate(s) in their chain (and in fact SSL Labs marks you down if you have the root in there too).
That's best practice for *any* TLS server.
have a look at https://www.openldap.org/its/index.cgi?findid=8586 With the referenced patch I can setup TLSCertificateFile /path/to/cert+intermediate.pem TLSCertificateKeyFile /path/to/privkey.pem
I have no TLSCACertificateFile at all because I don't use certificates to authenticate ldap clients...
Of course we do realise LDAP is not HTTP!
I think, it *is* very similar...
Andreas