John Gee john@kleinfeld.ch writes:
On Wed, Oct 08, 2008 at 06:35:36PM +0200, Dieter Kl?nter wrote: [...]
I just had to switch to my Solaris box in order to test ldapclient. I'am referring to your initial mail now. with certutil you created a cerficate database which includes the server certificates, these are presented to the ldap server as client certificates. Remove this server certificates from the repository and just leave the ca-cert in order to verify the server certificate. This setup I just tested successfully on my Solaris box.
Ok, i removed the Certifcates from my CertDB, so that ca-cert is alone there. It happens exactly the same as already described. Maybe im doing something wrong with the import of self-signed ca to certdb.
Did you sign the server cerficates with this ca-cert? And how did you create the CA and the server certificates? I personally use the CA.pl tools from openssl, this is by no means the best way to do, but the simplest. If you follow this path, you may have to edit openssl.cnf to meet your requirements. Then you just do ./CA.pl -newca, which creates es self signed CA ./CA.pl -newreq, this creates a host or user certficate request ./CA.pl -sign, wwhich signs the request openssl rsa -in newreq.pem -out foo-key.pem, this removes password from the requested certificate and creates a key file. mv newcert.pem foo-cert.pem ./CA.pl -verify foo-cert.pem
-Dieter