Hi everyone. Sorry for the long email, I am kinda a noob to SSL certs.
I am trying to develop a client application that will use SSL to encrypt LDAP
traffic so that a customer can use his/her LDAP server as a means of logging
into my client application. This client application will reside on a machine
that does NOT have any CA trusted 3rd party certs (i.e. verisign). Also
companies that use this client application will use self-signed certs allot.
Therefore I will be providing the customer two options. One option is for a
customer to manually load the server cert into the machine using a thumb drive.
The other option will be where a customer can hit the LDAP server and then
choose to accept or reject the SSL cert that is coming from the server over the
network.
I need to store a copy of the SSL server cert on the client machine because I
cannot have a customer transfer SSL certs before he/she wants to sign into the
application. It would be a chicken and egg problem.
When I do this command in linux.
openssl s_client -showcerts -connect ldap.server.com:636
I see 2 certificates come up. I assume this is a certificate chain is that
right?
When I take the first cert and copy/paste it into a file called first.pem.
Then as a test I use...
curl ldaps://ldap.server.com --cacert first.pem
The connection fails. I assume because this is not the right cert.
When I take the second cert and copy/paste the contents into second.pem then I
type.
curl ldaps://ldap.server.com --cacert second.pem
The connection works great and I can see the LDAP database. I use wireshark
and
the connection is indeed secure.
This brings me to my questions.
First. I really don't know what a cert chain is, or what a cert chain
accomplishes. Second, I assume that a company could setup their LDAP servers
to
have many certs in the cert chain. Since this is the case how do I know which
is the right cert to grab and store on my client? Third, what is the best way
to grab the right certs from the LDAP server?
thanks
