Hi Andreas,
Thanks- the discussion in the ITS is very useful/interesting. I should clarify that we're referring to a commercially-signed certificate for our LDAP server so clients should already have the root CA in their trust store.
We also aren't currently doing client cert verification and tend to use service accounts for client authentication. We may look to support client cert verification in the future using our own internal CA.
Kind regards, Mark
On 13/04/2019 15:48, A. Schulze wrote:
Am 11.04.19 um 13:35 schrieb Mark Cairney:
Hello Mark,
However based on our understanding of how SSL works we should only actually need the intermediate(s) in there as the client should have the root and then compare the intermediate provided by the server and only trust it if it can use this in conjunction with it's copy of the root certificate to complete the chain of trust.
Based on this we configure our web servers to only have the intermediate(s) in their chain (and in fact SSL Labs marks you down if you have the root in there too).
That's best practice for *any* TLS server.
have a look at https://www.openldap.org/its/index.cgi?findid=8586 With the referenced patch I can setup TLSCertificateFile /path/to/cert+intermediate.pem TLSCertificateKeyFile /path/to/privkey.pem
I have no TLSCACertificateFile at all because I don't use certificates to authenticate ldap clients...
Of course we do realise LDAP is not HTTP!
I think, it *is* very similar...
Andreas