Believe that you may need the "T" trust setting on the CA certificate too:
certutil
-t trustargs
Specify the trust attributes to modify in an existing certificate
or to apply to a certificate when creating it or adding it to a
database. There are three available trust categories for each
certificate, expressed in the order SSL, email, object signing for
each trust setting. In each category position, use none, any, or
all of the attribute codes:
· p - Valid peer
· P - Trusted peer (implies p)
· c - Valid CA
· C - Trusted CA (implies c)
· T - trusted CA for client authentication (ssl server only)
Steve Vandenburgh
LDAP Directory Services/Identity Management
-----Original Message-----
From: Eli <elish266(a)gmail.com>
Sent: Tuesday, April 2, 2019 11:41 AM
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] Peer's certificate issuer has been marked as not trusted by the
user
Hello,
I am trying to setup a mutual based TLS authenticated 389-DS LDAP server, where the client
and the server will perform certificate based authentication.
This should be test system and not a production system.
I have a Windows CA signed on the LDAP server certificate and the client certificate
(.p12). The server has its the CA root and its own cert loaded:
[root@ldap2sit slapd-ldap2sit]# certutil -K -d .
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa 90f72656c6c26fad75fbc5787105197301d76bab Server-Cert
[root@ldap2sit slapd-ldap2sit]#
[root@ldap2sit slapd-ldap2sit]#
[root@ldap2sit slapd-ldap2sit]# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ca_cert C,,
I have a client defined in the LDAP:
uid=a47886b9fffc , cn=a47886b9fffc , o=Avaya , l=Holon, mail=eshmulen(a)avaya.com
The certificate I have on the client is:
Issued to: a47886b9fffc
Issued by: sititcdc (which is the same CA signed the server certificate and its root in
loaded to the server)
Issuer: cn=sititcdc,dc=sititc,dc=dom
Subject: e=eshmulen(a)avaya.com, cn=a47886b9fffc, ou=SIT, o=Avaya, L=Holon, S=Israel, C=IL
My /etc/dirsrv/ldap2sit/certmap.conf:
certmap ldap2sit o=Avaya,l=Holon
ldap2sit:DNComps
ldap2sit:FilterComps cn
ldap2sit:verifycert on
When trying connecting I get connection failure with with following entries in
/var/log/dirsrv/.../error:
[02/Apr/2019:20:33:11.096582067 +0300] conn=5 fd=64 slot=64 SSL connection from
149.49.161.10 to 149.49.78.110
[02/Apr/2019:20:33:11.139068683 +0300] conn=5 Netscape Portable Runtime error -8172
(Peer's certificate issuer has been marked as not trusted by the user.);
unauthenticated client
E=eshmulen(a)avaya.com,CN=a47886b9fffc,OU=SIT,O=Avaya,L=Holon,ST=Israel,C=IL; issuer
CN=sititcdc,DC=sititc,DC=dom
[02/Apr/2019:20:33:11.139131964 +0300] conn=5 op=-1 fd=64 closed - Peer's certificate
issuer has been marked as not trusted by the user.
In wireshark trace I see the server is closing the TCP/TLS connection with alert (Level:
Fatal, Description: Unknown CA)
Can you tell me what I am doing wrong here?
Thanks,
Eli
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email
to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
This communication is the property of CenturyLink and may contain confidential or
privileged information. Unauthorized use of this communication is strictly prohibited and
may be unlawful. If you have received this communication in error, please immediately
notify the sender by reply e-mail and destroy all copies of the communication and any
attachments.