Ipa verify CA with ssl

From Asenjo
Revision as of 22:54, 28 August 2015 by Natxo (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


When binding to the ldap server using encrypted connections (ldaps or ldap with tls) we need to import first the Certificate Authority of our IPA instance.

We can verify the certificate file of this CA is correct using openssl: 


openssl s_client -connect kdc.ipa.asenjo.nx:636 -CAfile /etc/ipa/ca.crt < /dev/null

CONNECTED(00000003)
depth=1 O = IPA.ASENJO.NX, CN = Certificate Authority
verify return:1
depth=0 O = IPA.ASENJO.NX, CN = kdc.ipa.asenjo.nx
verify return:1
---
Certificate chain
 0 s:/O=IPA.ASENJO.NX/CN=kdc.ipa.asenjo.nx
   i:/O=IPA.ASENJO.NX/CN=Certificate Authority
 1 s:/O=IPA.ASENJO.NX/CN=Certificate Authority
   i:/O=IPA.ASENJO.NX/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
skip
-----END CERTIFICATE-----
subject=/O=IPA.ASENJO.NX/CN=kdc.ipa.asenjo.nx
issuer=/O=IPA.ASENJO.NX/CN=Certificate Authority
---
Acceptable client certificate CA names
/O=IPA.ASENJO.NX/CN=Certificate Authority
---
SSL handshake has read 2044 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 3C51832097D944EDDB8056DB886F0B509D79423173C4C33FB79CB2A28A831C67
    Session-ID-ctx: 
    Master-Key: 3F3B2B378B893FF7C2C0177467B43B4A0BB49E9F8632346F80982C22D58B5194208E45064586F5F731BDE063B80D8666
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1364844733
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

so you see, the verify return code is 0 and the file is correct.

Retrieved from "https://asenjo.nl/wiki/index.php?title=Ipa_verify_CA_with_ssl&oldid=292"