Ipa verify CA with ssl

From Asenjo
Jump to: navigation, search

When binding to the ldap server using encrypted connections (ldaps or ldap with tls) we need to import first the Certificate Authority of our IPA instance.

We can verify the certificate file of this CA is correct using openssl:

openssl s_client -connect kdc.ipa.asenjo.nx:636 -CAfile /etc/ipa/ca.crt < /dev/null

depth=1 O = IPA.ASENJO.NX, CN = Certificate Authority
verify return:1
depth=0 O = IPA.ASENJO.NX, CN = kdc.ipa.asenjo.nx
verify return:1
Certificate chain
 0 s:/O=IPA.ASENJO.NX/CN=kdc.ipa.asenjo.nx
   i:/O=IPA.ASENJO.NX/CN=Certificate Authority
 1 s:/O=IPA.ASENJO.NX/CN=Certificate Authority
   i:/O=IPA.ASENJO.NX/CN=Certificate Authority
Server certificate
issuer=/O=IPA.ASENJO.NX/CN=Certificate Authority
Acceptable client certificate CA names
/O=IPA.ASENJO.NX/CN=Certificate Authority
SSL handshake has read 2044 bytes and written 474 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 3C51832097D944EDDB8056DB886F0B509D79423173C4C33FB79CB2A28A831C67
    Master-Key: 3F3B2B378B893FF7C2C0177467B43B4A0BB49E9F8632346F80982C22D58B5194208E45064586F5F731BDE063B80D8666
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1364844733
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

so you see, the verify return code is 0 and the file is correct.