Ipa verify CA with ssl
From Asenjo
Revision as of 21:33, 1 April 2013 by Natxo (Talk | contribs) (Created page with "Category:IPA When binding to the ldap server using encrypted connections (ldaps or ldap with tls) we need to import first the Certificate Authority of our IPA instance. ...")
When binding to the ldap server using encrypted connections (ldaps or ldap with tls) we need to import first the Certificate Authority of our IPA instance.
We can verify the certificate file of this CA is correct using openssl:
openssl s_client -connect kdc.ipa.asenjo.nx:636 -CAfile /etc/ipa/ca.crt < /dev/null
CONNECTED(00000003)
depth=1 O = IPA.ASENJO.NX, CN = Certificate Authority
verify return:1
depth=0 O = IPA.ASENJO.NX, CN = kdc.ipa.asenjo.nx
verify return:1
---
Certificate chain
0 s:/O=IPA.ASENJO.NX/CN=kdc.ipa.asenjo.nx
i:/O=IPA.ASENJO.NX/CN=Certificate Authority
1 s:/O=IPA.ASENJO.NX/CN=Certificate Authority
i:/O=IPA.ASENJO.NX/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
skip
-----END CERTIFICATE-----
subject=/O=IPA.ASENJO.NX/CN=kdc.ipa.asenjo.nx
issuer=/O=IPA.ASENJO.NX/CN=Certificate Authority
---
Acceptable client certificate CA names
/O=IPA.ASENJO.NX/CN=Certificate Authority
---
SSL handshake has read 2044 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 3C51832097D944EDDB8056DB886F0B509D79423173C4C33FB79CB2A28A831C67
Session-ID-ctx:
Master-Key: 3F3B2B378B893FF7C2C0177467B43B4A0BB49E9F8632346F80982C22D58B5194208E45064586F5F731BDE063B80D8666
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1364844733
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
so you see, the verify return code is 0 and the file is correct.