On 02/24/2012 11:15 AM, Aaron Bennett wrote:
Hello, I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried: Download GeoTrust cert from _https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt Import with: # certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt Certutil -L now shows: # certutil -d /etc/openldap/nssdb/ -L Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI geotrust-intermediate ,, ds.clarku.edu Pu,Pu,Pu cn=config looks like this: olcTLSCACertificateFile: geotrust-intermediate olcTLSCACertificatePath: /etc/openldap/nssdb olcTLSCertificateFile: ds.clarku.edu But still clients cannot verify the cert. Any Mozilla NSS guru's know what I'm going wrong?
See http://www.openldap.org/faq/data/cache/1514.html Using Builtin Root Certs:
Thanks, Aaron