I followed the exact procedure below numerous times with the same frustrating error: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html#certutil-procedure !481 $ openssl verify cacert_core.asc cacert_core.asc: /DC=tv/DC=freewheel/CN=CA cert error 18 at 0 depth lookup:self signed certificate OK !482 $ openssl verify cacert_PEKdev020.asc cacert_PEKdev020.asc: /DC=tv/DC=freewheel/CN=CA cert error 18 at 0 depth lookup:self signed certificate OK !474 $ certutil -V -u V -d . -n "Core CA certificate" certutil: certificate is valid !476 $ certutil -V -u V -d . -n "Core Server-Cert" certutil: certificate is valid I also imported the consumers CA cert into the supplier ... this is correct? I tried only importing the suppliers CA cert before with the same issue (trying everything here!) This looks strange though (why the duplicate cert): !478 $ certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Core Server-Cert u,u,u Core CA certificate CTu,u,u Core CA certificate CT,, On Wed, Sep 8, 2010 at 10:49 PM, Rob Crittenden <rcritten at redhat.com> wrote: > John Mancuso wrote: >> >> Two questions: >> >> 1. I have generated self-signed ssl/ca certs trying both the >> "certutil" method from the redhat doc and also the standard "openssl >> x509 req -new" method. After installing the certs and enabling secure >> ldaps replication both result in >> >> slapi_ldap_bind - Error: could not send bind request for id >> [cn=replication manager,cn=config] mech [SIMPLE]: error 81 (Can't >> contact LDAP server) -8172 (Peer's certificate issuer has been marked >> as not trusted by the user.) 11 (Resource temporarily unavailable) >> >> Is there a known issue with self-signed certs? > > No, they work fine. Did you add the CA certificate that signed the server > certificate as well? > > You can verify that the certificate is ok on the server with: > > certutil -V -u V -d /etc/dirsrv/slapd-<YOUR_INSTANCE> > > You are probably just missing the CA certificate. If you have it in PEM > format you can add it via the command-line with: > > certutil -A -d /etc/dirsrv/slapd-<YOUR_INSTANCE> -n 'Your CA' -t CT,, -a < > /path/to/ca.pem > > The 'Your CA' here is the nickname of the CA certificate. It is how it will > appear in the DS console and using certutil -L. Pick something meaningful to > you. > >> 2. If there is an issue with the above, we may end up purchasing a >> wildcard cert for replicating across subdomains. I know in the HTML >> world some web browsers complain about ssl wildcard certs across >> subdomains. Any possible issues with this approach? >> >> ldaps://supplier_ldap.mycompany.com----> >> ?ldaps://consumer_ldap.dev.mycompany.com > > A wildcard cert will work but its probably overkill to buy one just for this > purpose. self-signed certificates will work fine. > > rob >
