Since this is now the top hit for "openldap Mozilla nss intermediate
certificate," here's what I ended up doing:
[rant] First of all, I sincerely hate Mozilla NSS. I don't understand why RH decided
to building OpenLdap against it.[/rant]
There, that aside, I noticed in the excellent FAQ at
that "If you previously used
OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings
specified in your configuration files, those settings should work exactly the same way
with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc.
and apply them in the same way." So, I went to ole-reliable /etc/tls/certs and
generated a key and csr, put the key in /etc/tls/private, and put the signed cert in
/etc/tls/certs. I also put the geotrust intermediate cert in /etc/tls/certs as well, and
then changed cn=config to read:
Happy TLS'ing everyone.
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett
Sent: Friday, February 24, 2012 1:15 PM
Subject: Mozilla NSS -- how to deploy intermediate certificate
I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built
against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile
/path/to/CA-certificates. Here's what I've tried:
Download GeoTrust cert from
save as intermediate.crt
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i
Certutil -L now shows:
# certutil -d /etc/openldap/nssdb/ -L
Certificate Nickname Trust Attributes
cn=config looks like this:
But still clients cannot verify the cert.
Any Mozilla NSS guru's know what I'm going wrong?