...to automatically hand out CA certs to ldap clients upon request?
There is no standard mechanism for this. You have to manually copy CA
certs to the location and in the format that each of your secure LDAP
client apps expects.
yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like
that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm
guessing no....?
RedHat Linux in the past has come with a bundle of well-known CA certs
in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it has
this too?
You would still need to configure LDAP client apps to know about this file.
Using PADL's pam_ldap/nss_ldap as an example, you would need to add:
tls_cacertfile /usr/share/ssl/cert.pem
...to /etc/ldap.conf.
Susan wrote:
--- Richard Megginson <rmeggins@xxxxxxxxxx> wrote:
Susan wrote:
Hi, everyone. I think this subject has been briefly raised before but I've more questions.
Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
Yes. You go to the RHCS web interface, click "Get CA Cert Chain", and
you can download or copy/paste the CA cert for use with client apps (or
importing into your web browser or email program or etc.). This assumes
you are using RHCS as your CA.
well, I'm speaking strictly of ldap clients. Browsers I don't care about.
Has anybody done this?
We used this extensively at Netscape.
to automatically hand out CA certs to ldap clients upon request?
Right now no certs are
deployed on the clients, we're using them only for SSL traffic encryption.
Do you mean client cert auth?
well, no. We don't care whether the clients misrepresent themselves. We care if the FDS
misrepresents itself.
CA certs or client certs? For the CA cert problem, AFAIK, there is no
way around it - you have to configure your clients to trust your CA one
way or another. You can mitigate this somewhat by going through the
process of getting a real CA cert from one of the trusted root CAs
listed in your web browser or email client.
yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like
that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm
guessing no....?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
