[Fedora-directory-users] Using certs from MS CA server

J Davis mrsalty0 at gmail.com
Mon Jul 16 15:37:51 UTC 2007 

Hello,

I have FDS 1.0.4 running using an SSL certificate generated by an Microsoft
windows 2003 CA server.
I choose this method as opposed to the setupssl.sh script from the wiki
because I have read in the list archives that it is the best way to avoid
trust issues when setting up PassSync over SSL between FDS and AD. I'm
having a hard time finding references for configuring this properly and I
know very little about SSL certificates so I'm making some guesses and
likely missing a crucial step or two.
The problem is that when trying to bind to the FDS using SSL I get
certificate verification errors.

> # ldapsearch -x -H ldaps://localhost/
> ldap_bind: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Here's how I set up the certificates...
1. Generated a CSR using the FDS console wizard and submitted it to the MS
CA.
2. Imported the CA certificate (called "it") and the signed "server-cert"
resulting from step 1 from the MS CA using the FDS admin console.
3. Enabled SSL (port 636) in the directory server using server-cert from
step 1.

I used certutil to display the list of certificates in the FDS cert db.
> [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
> server-cert    u,u,u
> it                   CT,,

Then verified that "server-cert" was considered valid.
> [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P
slapd-<instance>-
> Enter Password or Pin for "NSS Certificate DB":
> certutil-bin: certificate is valid

I also verified that that I can connect using openssl client.
> # openssl s_client -connect localhost:636 -showcerts -CAfile
/path/to/it_ca.crt
  --snip--
>     Verify return code: 0 (ok)
> ---

Any hints as to what I might be doing wrong are greatly appreciated.

Thanks,
-Jake
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070716/f2d03a21/attachment.html>

More information about the 389-users mailing list