> > ...to automatically hand out CA certs to ldap clients upon request? There is no standard mechanism for this. You have to manually copy CA certs to the location and in the format that each of your secure LDAP client apps expects. > yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like > that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm > guessing no....? RedHat Linux in the past has come with a bundle of well-known CA certs in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it has this too? You would still need to configure LDAP client apps to know about this file. Using PADL's pam_ldap/nss_ldap as an example, you would need to add: tls_cacertfile /usr/share/ssl/cert.pem ...to /etc/ldap.conf. Susan wrote: > --- Richard Megginson <rmeggins at redhat.com> wrote: > > >> Susan wrote: >> >>> Hi, everyone. I think this subject has been briefly raised before but I've more questions. >>> >>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? >>> >>> >> Yes. You go to the RHCS web interface, click "Get CA Cert Chain", and >> you can download or copy/paste the CA cert for use with client apps (or >> importing into your web browser or email program or etc.). This assumes >> you are using RHCS as your CA. >> > > well, I'm speaking strictly of ldap clients. Browsers I don't care about. > > > >>> Has anybody done this? >>> >>> >> We used this extensively at Netscape. >> > > to automatically hand out CA certs to ldap clients upon request? > > >>> Right now no certs are >>> deployed on the clients, we're using them only for SSL traffic encryption. >>> >>> >> Do you mean client cert auth? >> > > well, no. We don't care whether the clients misrepresent themselves. We care if the FDS > misrepresents itself. > > >> CA certs or client certs? For the CA cert problem, AFAIK, there is no >> way around it - you have to configure your clients to trust your CA one >> way or another. You can mitigate this somewhat by going through the >> process of getting a real CA cert from one of the trusted root CAs >> listed in your web browser or email client. >> > > yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like > that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm > guessing no....? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
