Hello,
I have a problem understanding how cacert.pem works on openldap 2.4 under centos.
I have an extremely heterogeneous machine park (with openldap customers and other owners)
So I have 2 Certificates (CA and intermediate CA) self-signed with the MD5withRSA algorithm and the same 2 certificates self-signed with the SHA1withRSA algorithm.
The 4 certificates are therefore in the cacert.pem of the server and the clients. (keystore)
It works perfectly for old servers but for new ones I have to force the use of TLS 1.1 because of the algorithms.
I have two problems:
If I just paste the 2 certificates in MD5 in the client keystore, it works, but if I leave the 2 certificates in SHA1, it does not work (bad certificate). I don't understand how openldap reads the file when there are multiple choices . He starts with the first couple, if that doesn't work he goes to the next one?
So the idea would be to generate 2 new certificates identical to the others but with a SHA254 signature for example to work in TLS 1.2/1.3 and keep ldap compatibility with old servers.
The cacert.pem file of the OpenLDAP server would therefore have 6 certificates and the clients following their OS would have the appropriate pair of certificates. Could this work? or for clients I leave the cacert the same and it will choose what it needs to establish the TLS connection?
I am a little lost ...
best regards Fred,
fredd fredddo warmastercs@gmail.com schrieb am 15.06.2022 um 19:46 in
Nachricht CA+AO1T7jrBwdGtUkg4Ypsb99H6q_iVt2mDLYy1bf5Hv1bLYEtw@mail.gmail.com:
Hello,
I have a problem understanding how cacert.pem works on openldap 2.4 under centos.
I have an extremely heterogeneous machine park (with openldap customers and other owners)
So I have 2 Certificates (CA and intermediate CA) self-signed with the MD5withRSA algorithm and the same 2 certificates self-signed with the SHA1withRSA algorithm.
I don't know what clients you are using, but out certificate from 2018 uses sha256WithRSAEncryption. It's likely that current clients don't accept weak certificates like MD5-based.
The 4 certificates are therefore in the cacert.pem of the server and the clients. (keystore)
It works perfectly for old servers but for new ones I have to force the use of TLS 1.1 because of the algorithms.
I have two problems:
If I just paste the 2 certificates in MD5 in the client keystore, it works, but if I leave the 2 certificates in SHA1, it does not work (bad certificate). I don't understand how openldap reads the file when there are multiple choices . He starts with the first couple, if that doesn't work he goes to the next one?
If the client trusts the CA things should work "automagically".
So the idea would be to generate 2 new certificates identical to the others but with a SHA254 signature for example to work in TLS 1.2/1.3 and keep ldap compatibility with old servers.
How old is "old"?
The cacert.pem file of the OpenLDAP server would therefore have 6 certificates and the clients following their OS would have the appropriate pair of certificates. Could this work? or for clients I leave the cacert the same and it will choose what it needs to establish the TLS connection?
Why would you use more than one certificate at all?
I am a little lost ...
best regards Fred,
openldap-technical@openldap.org
-
fredd fredddo -
Ulrich Windl