On 02/27/2012 01:17 PM, Aaron Bennett wrote:
Since this is now the top hit for "openldap Mozilla nss intermediate certificate," here's what I ended up doing:
[rant] First of all, I sincerely hate Mozilla NSS. I don't understand why RH decided to building OpenLdap against it.[/rant]
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
It's not just openldap, it's many other components.
And, if you are a Red Hat customer, please report any problems with using Red Hat products with your support channel. Red Hat is committed to making openldap + mozilla NSS work.
There, that aside, I noticed in the excellent FAQ at http://www.openldap.org/faq/data/cache/1514.html that "If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way." So, I went to ole-reliable /etc/tls/certs and generated a key and csr, put the key in /etc/tls/private, and put the signed cert in /etc/tls/certs. I also put the geotrust intermediate cert in /etc/tls/certs as well, and then changed cn=config to read:
olcTLSCACertificateFile: /etc/pki/tls/certs/geotrust-intermediate.crt
olcTLSCACertificatePath: /etc/pki/tls/certs
olcTLSCertificateFile: /etc/pki/tls/certs/ds.clarku.edu.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ds.clarku.edu.key
Happy TLS'ing everyone.
That was the intention - that customers upgrading from openldap + openssl to openldap + moznss should not notice or care about the underlying crypto implementation - it should just work exactly as before.
-Aaron
*From:*openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] *On Behalf Of *Aaron Bennett *Sent:* Friday, February 24, 2012 1:15 PM *To:* openldap-technical@openldap.org *Subject:* Mozilla NSS -- how to deploy intermediate certificate
Hello,
I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried:
Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt
Import with:
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt
Certutil -L now shows:
# certutil -d /etc/openldap/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
geotrust-intermediate ,,
ds.clarku.edu Pu,Pu,Pu
cn=config looks like this:
olcTLSCACertificateFile: geotrust-intermediate
olcTLSCACertificatePath: /etc/openldap/nssdb
olcTLSCertificateFile: ds.clarku.edu
But still clients cannot verify the cert.
Any Mozilla NSS guru's know what I'm going wrong?
Thanks,
Aaron