My understanding is that I should not need to do anything on the client to make it work. Please note that this is a valid certificate from a real CA. The use of an intermediate certificate (although very annoying) is sometimes used, and is normal. Although, the only other company i've used were i needed to use an intermediate cert was through verisign.
I think i may have mistakenly thought that jxplorer would use the same source of trusted CA's as the os. Now that i'm looking into some of the settings, I see it actually only has a handful of CA certs.
I think i may have mistakenly thought that jxplorer would use the same source of trusted CA's as the os. Now that i'm looking into some of the settings, I see it actually only has a handful of CA certs.
From: Rich Megginson <rmeggins@xxxxxxxxxx>
To: General discussion list for the 389 Directory server project. <fedora-directory-users@xxxxxxxxxx>
Sent: Wednesday, July 8, 2009 10:11:26 PM
Subject: Re: [389-users] Recover after installing a bad cert.
Dumbo Q wrote:
> Of course, it would help if i trusted the intermediate cert.
> certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB"
> certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network"
>
>
> After doing this I tried an ldapsearch -H ldaps://....
> ldapsearch worked with no problem.
> My ldap client "Jxplorer" could not connect however. It complained with the following..
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain.
>
> A partial success i guess.
Does Jxplorer have the CA cert?
>
> ------------------------------------------------------------------------
> *From:* Dumbo Q <dumboq@xxxxxxxxx>
> *To:* Ryan Braun [ADS] <ryan.braun@xxxxxxxx>; fedora-directory-users@xxxxxxxxxx
> *Sent:* Wednesday, July 8, 2009 4:57:49 PM
> *Subject:* Re: [389-users] Recover after installing a bad cert.
>
> Thanks that did it.
>
> I just can't seem to get this certificate working. Here is the most recent way that i have tried.
> cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA
> cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CA
> openssl verify new.crt ## turned out OK
>
> openssl pkcs12 -export -in new.crt -inkey rhds.example.com <http://rhds.example.com.ke>.key -out rhds.example.com-PSSL.p12
>
> pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d .
> certutil -L -d .
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
>
> rhds.example.com <http://rhds.example.com> - Comodo CA Limited u,u,u
> PositiveSSL CA - The USERTRUST Network ,,
> UTN-USERFirst-Hardware - AddTrust AB ,,
>
>
> Still the same error when i try to use this cert. Am I doing something wrong?
>
>
>
> ------------------------------------------------------------------------
> *From:* Ryan Braun [ADS] <ryan.braun@xxxxxxxx>
> *To:* fedora-directory-users@xxxxxxxxxx
> *Cc:* Dumbo Q <dumboq@xxxxxxxxx>
> *Sent:* Wednesday, July 8, 2009 2:50:10 PM
> *Subject:* Re: [389-users] Recover after installing a bad cert.
>
> On July 8, 2009 06:19:55 pm Dumbo Q wrote:
> > I just installed a new ssl certificate using pk12util. I restarted my
> > dirsrv, and picked the new cert in the dropdown menu under the encryption
> > tab. I restarted dirsrv to make it take affect. When I did this, I found
> > that the root certificate was not in redhats/openssls ca-bundle. I tried
> > importing the intermediate certificate, and I think I just made the problem
> > worse.
> >
> > right now im getting the following.
> > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
> > rhds.example.com <http://rhds.example.com> - Comodo CA Limited of family
> > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> > Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400]
> > - SSL failure: None of the cipher are valid
> >
> >
> > Now my directory is down completely. How can I get it to start up without
> > SSL so that I can fix the problem?
>
> Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif
>
> then edit that file and look for
>
> nsslapd-security: on
>
> change to
>
> nsslapd-security: off
>
> save file, restart service and ssl should be turned off. Keep in mind
> whatever caused the ssl config to puke in the first place is still there :)
>
> Ryan
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
