From: owner-openssl-users@openssl.org On Behalf Of Rodney Simioni Sent: Thursday, 20 June, 2013 12:04

A key/pair was sent to me from my admin and it looked like it came from GeoTrust. It's a wildcard cert.

A privatekey (which in most formats including openssl's is really a keypair) and a matching certificate. You need both.

I downloaded the Root CA from GeoTrust 's web site because LDAP requires the CA file.

The wildcard.securesites.com.cert you posted 6/19 has Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A

GeoTrust doesn't publish that anywhere I can find but http://www.tbs-certificats.com/FAQ/en/603.html has it as -----BEGIN CERTIFICATE----- MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0 IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR 8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50 96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5 VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4 ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES 0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk 2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V 4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ= -----END CERTIFICATE-----

which is an intermediate (not root) cert (verifiably) under Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

and THAT is "Root 2" (one of several) on http://www.geotrust.com/resources/root-certificates/index.html (also in the standard Windows, Firefox, and Java truststores)

What command do I use to make sure the key/pair that was sent to me is compatible with GeoTrust's CA?

Either concatenate the intermediate above and the correct root (also in PEM) into one file say geotrustCAs.pem and do: openssl verify -CAfile geotrustCAs.pem yourcertfile

Or put them as separate files in some directory say mycadir, create hashnames using c_rehash or by hand, and do: openssl verify -CApath mycadir yourcertfile

(The first is usually easier.)

Assuming (as asked before) your opendlap is using openssl not MozillaNSS, to use a key&cert with an intermediate cert openssl requires either configuring a certchain file or putting the chain cert(s) in the truststore (even if the cert(s) or truststore aren't needed for verification).

The manpage on http://linux.die.net/man/5/slapd-config does not indicate any option to configure a chain file; if that is true for the version you are using, use one of the above approaches with olcTLSCACertificateFile or Path .