> On 3 Apr 2019, at 04:39, Vandenburgh, Steve Y <Steve.Vandenburgh@xxxxxxxxxxxxxxx> wrote: > > Believe that you may need the "T" trust setting on the CA certificate too: > > certutil > -t trustargs > Specify the trust attributes to modify in an existing certificate > or to apply to a certificate when creating it or adding it to a > database. There are three available trust categories for each > certificate, expressed in the order SSL, email, object signing for > each trust setting. In each category position, use none, any, or > all of the attribute codes: > > · p - Valid peer > > · P - Trusted peer (implies p) > > · c - Valid CA > > · C - Trusted CA (implies c) > > · T - trusted CA for client authentication (ssl server only) I think you are correct here Steve, The other place to check is cn=encryption,cn=config, I think there is nsClientAuth (?) or similar, which should be to “allowed” rather than “never”. I don’t have the documentation in front of me this very second, but it’s worth checking that too. — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
