Mark McLoughlin wrote:
Hi, A couple of quick questions about things that have been bugging me:- If I import a server certificate and a CA certificate with pk12util and change the trust attributes on the CA cert to "C,," - i.e. that it should be a trusted CA for server certificates - and then start slapd I get:[05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication.Which seems strange to me - I would have thought the CA certs in nssckbi would be trusted for client auth?
The C trust flag means that it is a trusted CA to issue server certs. For client certs you need the T flag as well.
nssckbi doesn't really come into play here. I believe that even if your CA is signed by another CA that is in libnssckbi but you don't trust your CA to sign client certs, then any client certificates issued by your CA won't be trusted.
rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
