Comments below. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, June 20, 2013 6:24 PM To: openssl-users@openssl.org; openldap-techni...@openldap.org Subject: RE: Is my process correct.: openldap using GeoTrust
>From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni >Sent: Thursday, 20 June, 2013 12:04 >A key/pair was sent to me from my admin and it looked like it came >from GeoTrust. It's a wildcard cert. A privatekey (which in most formats including openssl's is really a keypair) and a matching certificate. You need both. >I downloaded the Root CA from GeoTrust 's web site because LDAP >requires the CA file. The wildcard.securesites.com.cert you posted 6/19 has Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A GeoTrust doesn't publish that anywhere I can find but http://www.tbs-certificats.com/FAQ/en/603.html has it as -----BEGIN CERTIFICATE----- MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0 IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR 8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50 96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5 VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4 ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES 0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk 2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V 4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ= -----END CERTIFICATE----- which is an intermediate (not root) cert (verifiably) under Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E [[Rod's comment]] I need clarification please. The 'Root 2' is the root CA that I can download from geotrust and the one provided to me by my sysadmin is an intermeadiate? and THAT is "Root 2" (one of several) on http://www.geotrust.com/resources/root-certificates/index.html (also in the standard Windows, Firefox, and Java truststores) >What command do I use to make sure the key/pair that was sent to me is >compatible with GeoTrust's CA? Either concatenate the intermediate above and the correct root (also in PEM) into one file say geotrustCAs.pem and do: openssl verify -CAfile geotrustCAs.pem yourcertfile [[Rod's comment]] Are you saying to concatenate the intermediate root and 'Root 2' which should be downloaded from geotrust? Or put them as separate files in some directory say mycadir, create hashnames using c_rehash or by hand, and do: openssl verify -CApath mycadir yourcertfile (The first is usually easier.) Assuming (as asked before) your opendlap is using openssl not MozillaNSS, to use a key&cert with an intermediate cert openssl requires either configuring a certchain file or putting the chain cert(s) in the truststore (even if the cert(s) or truststore aren't needed for verification). [[Rod's comment]] As you said before, I’m probably using MozNSS because of the errors I was getting several emails ago. What should I do? Should I remove MozNSS pkg? I've already Installed openssl-devel pkg. The manpage on http://linux.die.net/man/5/slapd-config does not indicate any option to configure a chain file; if that is true for the version you are using, use one of the above approaches with olcTLSCACertificateFile or Path . ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
