Re: FDS & Red Hat Certificate System

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

George Holbert wrote:


...to automatically hand out CA certs to ldap clients upon request?
There is no standard mechanism for this. You have to manually copy CA certs to the location and in the format that each of your secure LDAP client apps expects.
yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm 
guessing no....?
RedHat Linux in the past has come with a bundle of well-known CA certs in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it has this too?
You would still need to configure LDAP client apps to know about this file. 
Using PADL's pam_ldap/nss_ldap as an example, you would need to add:
tls_cacertfile /usr/share/ssl/cert.pem
...to /etc/ldap.conf.

In Fedora Core 5 this is in /etc/pki/tls/cert.pem:
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from certdata.txt RCS revision 1.37
#
.....






Susan wrote:

--- Richard Megginson <rmeggins@xxxxxxxxxx> wrote:


Susan wrote:
Hi, everyone. I think this subject has been briefly raised before but I've more questions. 

Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
Yes. You go to the RHCS web interface, click "Get CA Cert Chain", and you can download or copy/paste the CA cert for use with client apps (or importing into your web browser or email program or etc.). This assumes you are using RHCS as your CA.
well, I'm speaking strictly of ldap clients. Browsers I don't care about. 



Has anybody done this?

We used this extensively at Netscape.


to automatically hand out CA certs to ldap clients upon request?


Right now no certs are
deployed on the clients, we're using them only for SSL traffic encryption. 
Do you mean client cert auth?
well, no. We don't care whether the clients misrepresent themselves. We care if the FDS 
misrepresents itself.
CA certs or client certs? For the CA cert problem, AFAIK, there is no way around it - you have to configure your clients to trust your CA one way or another. You can mitigate this somewhat by going through the process of getting a real CA cert from one of the trusted root CAs listed in your web browser or email client.
yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm 
guessing no....?

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com 
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux