George Holbert wrote: >> >> ...to automatically hand out CA certs to ldap clients upon request? > > There is no standard mechanism for this. You have to manually copy CA > certs to the location and in the format that each of your secure LDAP > client apps expects. > > >> yea but what about ldap clients? AFAIK no ldap client implicitly >> trusts verisign or anything like >> that. So, even if I do get a real CA cert, will a plain vanilla FC4 >> install trust it? I'm >> guessing no....? > > RedHat Linux in the past has come with a bundle of well-known CA certs > in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it > has this too? > > You would still need to configure LDAP client apps to know about this > file. > Using PADL's pam_ldap/nss_ldap as an example, you would need to add: > tls_cacertfile /usr/share/ssl/cert.pem > ...to /etc/ldap.conf. In Fedora Core 5 this is in /etc/pki/tls/cert.pem: # This is a bundle of X.509 certificates of public Certificate # Authorities. It was generated from the Mozilla root CA list. # # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt # # Generated from certdata.txt RCS revision 1.37 # ..... > > > > > Susan wrote: >> --- Richard Megginson <rmeggins at redhat.com> wrote: >> >> >>> Susan wrote: >>> >>>> Hi, everyone. I think this subject has been briefly raised before >>>> but I've more questions. >>>> >>>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? >>>> >>> Yes. You go to the RHCS web interface, click "Get CA Cert Chain", >>> and you can download or copy/paste the CA cert for use with client >>> apps (or importing into your web browser or email program or etc.). >>> This assumes you are using RHCS as your CA. >>> >> >> well, I'm speaking strictly of ldap clients. Browsers I don't care >> about. >> >> >> >>>> Has anybody done this? >>>> >>> We used this extensively at Netscape. >>> >> >> to automatically hand out CA certs to ldap clients upon request? >> >> >>>> Right now no certs are >>>> deployed on the clients, we're using them only for SSL traffic >>>> encryption. >>> Do you mean client cert auth? >>> >> >> well, no. We don't care whether the clients misrepresent >> themselves. We care if the FDS >> misrepresents itself. >> >> >>> CA certs or client certs? For the CA cert problem, AFAIK, there is >>> no way around it - you have to configure your clients to trust your >>> CA one way or another. You can mitigate this somewhat by going >>> through the process of getting a real CA cert from one of the >>> trusted root CAs listed in your web browser or email client. >>> >> >> yea but what about ldap clients? AFAIK no ldap client implicitly >> trusts verisign or anything like >> that. So, even if I do get a real CA cert, will a plain vanilla FC4 >> install trust it? I'm >> guessing no....? >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060329/229fe122/attachment.bin
