On 02/24/2012 11:15 AM, Aaron Bennett wrote:
Hello,
 
I need to publish the GeoTrust intermediate certificate; I’m using 2.4.29 built against Mozilla NSS.  In OpenSSL world, I’d use -- I think -- TLSCACertificateFile /path/to/CA-certificates.  Here’s what I’ve tried:
 
Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt
 
Import with:
 
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i  intermediate.crt
 
Certutil -L now shows:
 
# certutil -d /etc/openldap/nssdb/ -L
 
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
 
geotrust-intermediate                                        ,,  
ds.clarku.edu                                                Pu,Pu,Pu
 
 
cn=config looks like this:
 
olcTLSCACertificateFile: geotrust-intermediate
olcTLSCACertificatePath: /etc/openldap/nssdb
olcTLSCertificateFile: ds.clarku.edu
 
But still clients cannot verify the cert.
 
Any Mozilla NSS guru’s know what I’m going wrong?
See http://www.openldap.org/faq/data/cache/1514.html
Using Builtin Root Certs:
 
Thanks,
 
Aaron