Re: Quick question about OpenLDAP Server CA certificate handling
Am 11.04.19 um 13:35 schrieb Mark Cairney:
Hello Mark,
However based on our understanding of how SSL works we should only
actually need the intermediate(s) in there as the client should have the
root and then compare the intermediate provided by the server and only
trust it if it can use this in conjunction with it's copy of the root
certificate to complete the chain of trust.
Based on this we configure our web servers to only have the
intermediate(s) in their chain (and in fact SSL Labs marks you down if
you have the root in there too).
That's best practice for *any* TLS server.
have a look at https://www.openldap.org/its/index.cgi?findid=8586
With the referenced patch I can setup
TLSCertificateFile /path/to/cert+intermediate.pem
TLSCertificateKeyFile /path/to/privkey.pem
I have no TLSCACertificateFile at all because I don't use certificates
to authenticate ldap clients...
Of course we do realise LDAP is not HTTP!
I think, it *is* very
similar...
Andreas