[Fedora-directory-users] NSS/SSL oddities
Rob Crittenden
rcritten at redhat.com
Fri Jan 6 14:21:30 UTC 2006
Mark McLoughlin wrote:
> Hi,
> A couple of quick questions about things that have been bugging me:
>
> - If I import a server certificate and a CA certificate with pk12util
> and change the trust attributes on the CA cert to "C,," - i.e. that
> it should be a trusted CA for server certificates - and then start
> slapd I get:
>
> [05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication.
>
> Which seems strange to me - I would have thought the CA certs in
> nssckbi would be trusted for client auth?
The C trust flag means that it is a trusted CA to issue server certs.
For client certs you need the T flag as well.
nssckbi doesn't really come into play here. I believe that even if your
CA is signed by another CA that is in libnssckbi but you don't trust
your CA to sign client certs, then any client certificates issued by
your CA won't be trusted.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060106/195f6d42/attachment.bin>
More information about the Fedora-directory-users
mailing list