SUMMARY: SSL/TLS Problem with CA-signed Certs

From: <>
Date: Fri Mar 04 2005 - 12:47:17 EST
The problem ended up being that the CA certificate did not have the CA flag
set, which one of my co-workers discovered.  The SSL connections worked
fine once that was remedied with a correct CA certificate.  We suspect that
without the CA flag set the SSL verification process mistook it for the
server certificate itself, resulting in the error indicating a mismatch in
the CN of the CA certificate and the FQDN of the server.

Thank you to those individuals that shared your thoughts on this with me.

Michael H. Buselli


I cannot get nss_ldap or ldapclient (Solaris 10 client, native commands) to
work right when the LDAP server uses TLS and a CA-signed server certificate
(works fine if I use a self-signed server cert).  Has anyone encountered
this problem and/or know how to fix it?  The error I get when using a
CA-signed cert is:

   Mar  3 00:20:45 conjunct ldapsearch[22589]: [ID 605618 user.error]
   libldap: CERT_VerifyCertName: cert server name 'cccis certificate
   authority' does not match '': SSL connection

Both certificates were added to the cert7.db files during testing.  I used
both Windows (W2K3 Active Directory) and Linux (OpenLDAP) for the servers
during testing.  Non-Solaris clients (such as OpenLDAP ldapsearch and the
LDAP Browser-Editor by Jarek Gawor) work fine with either kind of

Thank you!

Michael H. Buselli
sunmanagers mailing list
Received on Fri Mar 4 12:51:22 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:44 EST