[Fedora-directory-users] Using certs from MS CA server
Richard Megginson
rmeggins at redhat.com
Mon Jul 16 15:42:53 UTC 2007
J Davis wrote:
> Hello,
>
> I have FDS 1.0.4 running using an SSL certificate generated by an
> Microsoft windows 2003 CA server.
> I choose this method as opposed to the setupssl.sh script from the
> wiki because I have read in the list archives that it is the best way
> to avoid trust issues when setting up PassSync over SSL between FDS
> and AD. I'm having a hard time finding references for configuring this
> properly and I know very little about SSL certificates so I'm making
> some guesses and likely missing a crucial step or two.
> The problem is that when trying to bind to the FDS using SSL I get
> certificate verification errors.
>
> > # ldapsearch -x -H ldaps://localhost/
> > ldap_bind: Can't contact LDAP server (-1)
> > additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
/usr/bin/ldapsearch is OpenLDAP ldapsearch. Did you follow these steps
to tell it where to find the CA cert?
http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
>
> Here's how I set up the certificates...
> 1. Generated a CSR using the FDS console wizard and submitted it to
> the MS CA.
> 2. Imported the CA certificate (called "it") and the signed
> "server-cert" resulting from step 1 from the MS CA using the FDS admin
> console.
> 3. Enabled SSL (port 636) in the directory server using server-cert
> from step 1.
Where you restarted the directory server, did it say it was listening
for LDAPS requests on port 636 in the error log?
>
> I used certutil to display the list of certificates in the FDS cert db.
> > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
> > server-cert u,u,u
> > it CT,,
>
> Then verified that "server-cert" was considered valid.
> > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P
> slapd-<instance>-
> > Enter Password or Pin for "NSS Certificate DB":
> > certutil-bin: certificate is valid
>
> I also verified that that I can connect using openssl client.
> > # openssl s_client -connect localhost:636 -showcerts -CAfile
> /path/to/it_ca.crt
> --snip--
> > Verify return code: 0 (ok)
> > ---
>
> Any hints as to what I might be doing wrong are greatly appreciated.
>
> Thanks,
> -Jake
>
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070716/f7580f58/attachment.bin>
More information about the 389-users
mailing list