Believe that you may need the "T" trust setting on the CA certificate too: certutil -t trustargs Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all of the attribute codes: · p - Valid peer · P - Trusted peer (implies p) · c - Valid CA · C - Trusted CA (implies c) · T - trusted CA for client authentication (ssl server only) Steve Vandenburgh LDAP Directory Services/Identity Management -----Original Message----- From: Eli <elish266(a)gmail.com&gt; Sent: Tuesday, April 2, 2019 11:41 AM To: 389-users(a)lists.fedoraproject.org Subject: [389-users] Peer's certificate issuer has been marked as not trusted by the user Hello, I am trying to setup a mutual based TLS authenticated 389-DS LDAP server, where the client and the server will perform certificate based authentication. This should be test system and not a production system. I have a Windows CA signed on the LDAP server certificate and the client certificate (.p12). The server has its the CA root and its own cert loaded: [root@ldap2sit slapd-ldap2sit]# certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 90f72656c6c26fad75fbc5787105197301d76bab Server-Cert [root@ldap2sit slapd-ldap2sit]# [root@ldap2sit slapd-ldap2sit]# [root@ldap2sit slapd-ldap2sit]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ca_cert C,, I have a client defined in the LDAP: uid=a47886b9fffc , cn=a47886b9fffc , o=Avaya , l=Holon, mail=eshmulen(a)avaya.com The certificate I have on the client is: Issued to: a47886b9fffc Issued by: sititcdc (which is the same CA signed the server certificate and its root in loaded to the server) Issuer: cn=sititcdc,dc=sititc,dc=dom Subject: e=eshmulen(a)avaya.com, cn=a47886b9fffc, ou=SIT, o=Avaya, L=Holon, S=Israel, C=IL My /etc/dirsrv/ldap2sit/certmap.conf: certmap ldap2sit o=Avaya,l=Holon ldap2sit:DNComps ldap2sit:FilterComps cn ldap2sit:verifycert on When trying connecting I get connection failure with with following entries in /var/log/dirsrv/.../error: [02/Apr/2019:20:33:11.096582067 +0300] conn=5 fd=64 slot=64 SSL connection from 149.49.161.10 to 149.49.78.110 [02/Apr/2019:20:33:11.139068683 +0300] conn=5 Netscape Portable Runtime error -8172 (Peer's certificate issuer has been marked as not trusted by the user.); unauthenticated client E=eshmulen(a)avaya.com,CN=a47886b9fffc,OU=SIT,O=Avaya,L=Holon,ST=Israel,C=IL; issuer CN=sititcdc,DC=sititc,DC=dom [02/Apr/2019:20:33:11.139131964 +0300] conn=5 op=-1 fd=64 closed - Peer's certificate issuer has been marked as not trusted by the user. In wireshark trace I see the server is closing the TCP/TLS connection with alert (Level: Fatal, Description: Unknown CA) Can you tell me what I am doing wrong here? Thanks, Eli _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

Adding the T attribute to the ca_cert solved the problem. Thank you for your help! Eli