Does anyone possibly have an answer to these questions? I'm quite stumped at the moment, and would love to try and get this fully working.
Thanks again.
Date: Thu, 17 Nov 2005 10:09:45 -0600 From: Michael Montgomery mmontgomery@theplanet.com Subject: Re: Re: [Fedora-directory-users] ssl client authentication To: fedora-directory-users@redhat.com Message-ID: 1132243785.24437.11.camel@work Content-Type: text/plain
Thank you very much for your response. I just have a couple more questions so I can be sure I know what I'm talking about.
the directory server (your SSL server) replies with the certificate chain which includes the CA certificate, and the self-signed SSL certificate."
I'm assuming the 'self-signed SSL cerificate' is the client's ssl certificate I imported into the SSL server's store, and NOT the server's own client certificate?
you should have the SSL certificate imported into your SSL client's security database, and it should be marked as trusted (i.e -t "CT,CT,CT").
Is there any documentation on how to do this with a RHEL4 server? The only things that come to mind are the openssl dirs '/usr/share/ssl/*', and possibly installing the certutil package on this machine...(but how would the ldap.conf file reference this, and even know about it... I'm curious about integration)
Another way to do this is to sign your SSL server certificate with your self-signed CA certificate, and import your CA certificate into your SSL client's security database.
I'm assuming you're talking about this option to Sign/Validate a self-signed cert:
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
But then there's still the above question of how to import it into clients...
Once again, thank you very much for your answers up to this point, as they were quite helpful.
Michael.