Hello,

I have a problem understanding how cacert.pem works on openldap 2.4 under centos.

I have an extremely heterogeneous machine park (with openldap customers and other owners)

So I have 2 Certificates (CA and intermediate CA) self-signed with the MD5withRSA algorithm and the same 2 certificates self-signed with the SHA1withRSA algorithm.

The 4 certificates are therefore in the cacert.pem of the server and the clients. (keystore)

It works perfectly for old servers but for new ones I have to force the use of TLS 1.1 because of the algorithms.

I have two problems:

If I just paste the 2 certificates in MD5 in the client keystore, it works, but if I leave the 2 certificates in SHA1, it does not work (bad certificate).  I don't understand how openldap reads the file when there are multiple choices . He starts with the first couple, if that doesn't work he goes to the next one?

So the idea would be to generate 2 new certificates identical to the others but with a SHA254 signature for example to work in TLS 1.2/1.3 and keep ldap compatibility with old servers.

The cacert.pem file of the OpenLDAP server would therefore have 6 certificates and the clients following their OS would have the appropriate pair of certificates. Could this work? or for clients I leave the cacert the same and it will choose what it needs to establish the TLS connection?

 I am a little lost ...

best regards
Fred,