[Fedora-directory-users] Configure LDAP clients
Rob Crittenden
rcritten at redhat.com
Tue Apr 21 12:27:54 UTC 2009
Rusch Philipp pru09 wrote:
> Hello all,
>
>
>
> my last try to move on with the SSL certificates. I have installed
> fedora-ds 1.0.4 and have used the setupssl.sh script to generate the
> certificates on my both servers. After that I jumped tot he „configure
> ldap clients“ section and there it says: „If you have more than 1 CA
> cert, you will have to concatenate them into a single file.“
>
>
>
> Can anyone tell me how I have to concatenate the two cacert.asc files? I
> have tried several things without any result (e.g cat cacert1.asc
> cacert2.asc > cacert.asc). Only the first certificate is used to
> establish a new tls connection.
>
>
>
> I woul appreciate any help about this problem!
>
>
>
> Thank you in advance.
>
>
This is just an educated guess but if you ran setupssl.sh twice and
didn't change anything then you have 2 Certificate Authorities with the
same subject and same serial number just different signing keys. My
guess is this is confusing the heck out of openssl. I'm not sure using
TLS_CACERTDIR would change anything either.
Ideally you would create just 1 CA and use that to generate the server
certs for your FDS installation. How to do this isn't particularly
obvious though. You'd have to poke at the setupssl.sh script to see how
the Server-Cert is being issued and generate a new CSR and get the CA to
sign it.
Something simpler/quicker to try would be to modify the subject and CA
name in setupssl.sh on one of the FDS servers and try again. The subject
is set by the -s argument to certutil (e.g. cn=CAcert).
rob
More information about the Fedora-directory-users
mailing list