On Thu, May 18 2017 at 20:17:16 +0900, Alexandre Rosenberg scribbled in "Re: Antw: Re: TLSCACertificateFile directive and multiple CA certificates":

Hello,

I test and the issue only happen if 2 CA have the same DN. I regenerated the new CA with a different DN and it's working.

As I am mentioned I am not sure what the proper behavior of OpenLDAP/OpenSSL should be in case 2 CA have the same DN.

I am not sure I misunderstanding what TLSCACertificateFile is used for. The main use it to let OpenLDAP though which CA if should trust when validating certificate. That is clearly what is in the doc.

Best,

Alex

Hi Alex,

Glad you got it working.

I think the proper behaviour would be to not have 2 CAs with the same DN, as the first-match-wins. As the DN is used to identify the issuer of the certificate you're attempting to authenticate, it would make little sense to have a naming collision.

I realise the docs say that order doesn't matter, but that assumes that all included certificates would have clearly distinguished subject names (hence "DN").

Cheers.

Dameon.