> On 3 Apr 2019, at 04:39, Vandenburgh, Steve Y <Steve.Vandenburgh@centurylink.com> wrote:
>
> Believe that you may need the "T" trust setting on the CA certificate too:
>
> certutil
> -t trustargs
> Specify the trust attributes to modify in an existing certificate
> or to apply to a certificate when creating it or adding it to a
> database. There are three available trust categories for each
> certificate, expressed in the order SSL, email, object signing for
> each trust setting. In each category position, use none, any, or
> all of the attribute codes:
>
> · p - Valid peer
>
> · P - Trusted peer (implies p)
>
> · c - Valid CA
>
> · C - Trusted CA (implies c)
>
> · T - trusted CA for client authentication (ssl server only)
I think you are correct here Steve,
The other place to check is cn=encryption,cn=config, I think there is nsClientAuth (?) or similar, which should be to "allowed" rather than "never". I don't have the documentation in front of me this very second, but it's worth checking that too.
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment