Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

Setting Up the Appropriate Trust Relations

Before you can use ldapsearch with SSL, make sure that the certificate of the CA that signed your SSL-client certificate is trusted.


To complete this step you must have access to the certutil tool. You can download this tool from the Mozilla software or the NetscapeTM software website at: http://www.mozilla.org/projects/security/pki/nss/tools/ or http://developer.netscape.com/software/tools/pkcs/up106.html

To Set Up the Appropriate Trust Relations

  1. Do this by running certutil or by viewing the certificate status from within the Netscape browser at CommunicatorûToolsûSecurity InfoûCertificatesû Yoursû<Certificate>ûVerify.

    You either get a box showing "The certificate has been successfully verified" or a negative message (for example, "Verification of the selected certificate failed for the following reasons: Certificate not trusted").

    The only crucial certificate is that of the CA who signed the certificate for the LDAP/SSL Server. The CA that must be trusted is the one that was set up in the section , "Setting Up the Directory Server and the Certificate Server." The corresponding certificate can be identified by its nickname iNIT8 Certificate Manager. The output of the corresponding certutil -L command should look like this:

    iNIT8 Certificate Manager - iNIT8  C,C,C
  2. This certificate is present in the ~/.netscape/cert7.db file.

    • If it is not in this file import by pointing your browser at https://sunshine.init8.net:443 or by using the browser's import function if this certificate is not present in the ~/.netscape/cert7.db file.

    • If it resides in ~/.netscape/cert7.db file but without the proper trust attributes change the certificate through:

    bash-2.03# certutil -d /.netscape -n "iNIT8 Certificate Manager - iNIT8" 
     -M -t "C,C,C"
  • + Share This
  • 🔖 Save To Your Account