Andrew Devenish-Meares wrote:
We are currently assessing changing our TLS Certificate setup.
We have been using a self-signed CA to issue certificates for our OpenLDAP setup, which has required us to supply the CA to anyone outside our organisation that wishes to use our OpenLDAP over TLS or SSL.
We're currently starting to migrate our certificates to AusCERT, as we get a good deal as a University. As AusCERT is an intermediate CA, so we need to use a chain to get this to work.
The server side works, as per the documentation, by adding the intermediate CA with the root CA in the olcTLSCertificateCAFile.
This means that we need to install the intermediate certificate on clients that connect to our LDAP using SSL or TLS. Admittedly this isn't vastly different to what we need to do now in supplying our own CA.
If correctly setup the server will send the intermediate CA cert to the client in the TLS handshake. So the client will be able to validate the server cert and intermediate CA cert against a pre-installed root CA cert.
You can test this with "openssl s_server ..".
Ciao, Michael.