Rusch Philipp pru09 wrote: > Hello all, > > > > my last try to move on with the SSL certificates. I have installed > fedora-ds 1.0.4 and have used the setupssl.sh script to generate the > certificates on my both servers. After that I jumped tot he ?configure > ldap clients? section and there it says: ?If you have more than 1 CA > cert, you will have to concatenate them into a single file.? > > > > Can anyone tell me how I have to concatenate the two cacert.asc files? I > have tried several things without any result (e.g cat cacert1.asc > cacert2.asc > cacert.asc). Only the first certificate is used to > establish a new tls connection. > > > > I woul appreciate any help about this problem! > > > > Thank you in advance. > > This is just an educated guess but if you ran setupssl.sh twice and didn't change anything then you have 2 Certificate Authorities with the same subject and same serial number just different signing keys. My guess is this is confusing the heck out of openssl. I'm not sure using TLS_CACERTDIR would change anything either. Ideally you would create just 1 CA and use that to generate the server certs for your FDS installation. How to do this isn't particularly obvious though. You'd have to poke at the setupssl.sh script to see how the Server-Cert is being issued and generate a new CSR and get the CA to sign it. Something simpler/quicker to try would be to modify the subject and CA name in setupssl.sh on one of the FDS servers and try again. The subject is set by the -s argument to certutil (e.g. cn=CAcert). rob
