I was replacing ssl certificates on a lo ... / 2009-11-24

Koos van den Hout

2009-11-24 I was replacing ssl certificates on a lo ... 9 years ago
I was replacing ssl certificates on a lot of servers and got it working everywhere except on our ldap server. The SSL certificate chain wasn't given out so there was no link between a trusted root and the certificate on the server. I had it configured: 
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
With the certificate in servercrt.pem and the intermediate certificates in cacert.pem. But that was a config from an older server which uses OpenSSL, including openssl libraries (libssl). The newer ldap server uses the gnu tls libraries (libgnutls) which really need: 
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
With the server certificate and the entire chain together in servercrt.pem. Something to keep in mind, so I documented it on our internal wiki.
Tags: ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004174 seconds.