Mark McLoughlin wrote: > Hi, > A couple of quick questions about things that have been bugging me: > > - If I import a server certificate and a CA certificate with pk12util > and change the trust attributes on the CA cert to "C,," - i.e. that > it should be a trusted CA for server certificates - and then start > slapd I get: > > [05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication. > > Which seems strange to me - I would have thought the CA certs in > nssckbi would be trusted for client auth? The C trust flag means that it is a trusted CA to issue server certs. For client certs you need the T flag as well. nssckbi doesn't really come into play here. I believe that even if your CA is signed by another CA that is in libnssckbi but you don't trust your CA to sign client certs, then any client certificates issued by your CA won't be trusted. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060106/195f6d42/attachment.bin
