Hello,
I have a problem understanding how cacert.pem works on openldap 2.4 under centos.
I have an extremely heterogeneous machine park (with openldap customers and other owners)
So I have 2 Certificates (CA and intermediate CA) self-signed with the MD5withRSA algorithm and the same 2 certificates self-signed with the SHA1withRSA algorithm.
The 4 certificates are therefore in the cacert.pem of the server and the clients. (keystore)
It works perfectly for old servers but for new ones I have to force the use of TLS 1.1 because of the algorithms.
I have two problems:
If I just paste the 2 certificates in MD5 in the client keystore, it works, but if I leave the 2 certificates in SHA1, it does not work (bad certificate).
I don't understand how openldap reads the file when there are multiple choices
. He starts with the first couple, if that doesn't work he goes to the next one?
So the idea would be to generate 2 new certificates identical to the others but with a SHA254 signature for example to work in TLS 1.2/1.3 and keep ldap compatibility with old servers.
The cacert.pem file of the OpenLDAP server would therefore have 6 certificates and the clients following their OS would have the appropriate pair of certificates.
Could this work? or for clients I leave the cacert the same and it will choose what it needs to establish the TLS connection?
I am a little lost ...
best regards
Fred,