[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Mozilla NSS / OpenLdap 2.4.23 cert not readable?
Hello,
I'm trying to grok Mozilla NSS prior to deploying Openldap 2.4.23 on RHEL 6.2. I've been working through creating a self-signed cert and I think I have one that works. At least, if I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
its Cu,Cu,Cu
animal.clarku.edu p,p,p
the its cert is the one I used to sign.
If I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L -n animal.clarku.edu
Then I see a normal looking cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:96:7c:e7:ea
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=ITS Self Signed"
Validity:
Not Before: Mon Dec 12 16:01:27 2011
Not After : Mon Mar 12 16:01:27 2012
Subject: "CN=animal.clarku.edu,O=Clark University ITS,L=Worcester,ST=
Massachusetts,C=US"
Here's what I've got in cn=config:
olcTLSCACertificatePath: /etc/pki/nssdb/
olcTLSCertificateFile: animal.clarku.edu
If do those commands as the ldap user with sudo -u ldap, I get the same output. I can even run "certutil -V -n animal.clarku.edu -u SR -d /etc/pki/nssdb/" and I get "certificate is valid".
However when I start slapd, I get:
[root@animal slapd.d]# service slapd start
animal.clarku.edu is not readable by "ldap" [WARNING]
Starting slapd: [ OK ]
What am I missing?
Thanks,
Aaron
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS