PEM certificates support?
5 views
Skip to first unread message
ArkanoiD
Aug 18, 2009, 4:19:34 PM8/18/09
to Pathfinder Mailing List
Does Pathfinder support PEM certificate bundles? Most linux
distributions are shipped with root CA's in that format.. and looks
like Pathfinder expects DER only.
distributions are shipped with root CA's in that format.. and looks
like Pathfinder expects DER only.
Dave Coombs
Aug 18, 2009, 5:47:50 PM8/18/09
to pathfinder...@googlegroups.com
Hi,
> Does Pathfinder support PEM certificate bundles? Most linux
> distributions are shipped with root CA's in that format.. and looks
> like Pathfinder expects DER only.
Really? Which version of Pathfinder are you using? It has supported
both PEM and DER for quite some time now.
You should certainly be able to do put PEM files into any directory
defined in [Trusted Directories] in your pathfinderd.ini file. That's
how we run it internally, even.
Let us know if you need more help. It may help if you provide log
messages, etc...
Thanks,
-Dave Coombs
Carillon Information Security Inc.
http://www.carillon.ca/
ArkanoiD
Aug 18, 2009, 5:52:59 PM8/18/09
to Pathfinder Mailing List
It is rpm version from http://www.carillon.ca/tools/downloads/openldap-rpm/
Aug 19 01:51:14 grave (ugid=103:106 pid=19581) pathfinderd: Starting
pathfinderd version 1.0.0.
Aug 19 01:51:14 grave (ugid=103:106 pid=19581) pathfinderd: Import DER
from '/etc/pki/tls/certs/ca-bundle.crt': error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
Aug 19 01:51:14 grave (ugid=103:106 pid=19581) pathfinderd: WARNING:
Tried to add certificate from file /etc/pki/tls/certs/ca-bundle.crt,
but loaded certificate not ok!
Aug 19 01:51:14 grave (ugid=103:106 pid=19581) pathfinderd: Starting
pathfinderd version 1.0.0.
Aug 19 01:51:14 grave (ugid=103:106 pid=19581) pathfinderd: Import DER
from '/etc/pki/tls/certs/ca-bundle.crt': error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
Aug 19 01:51:14 grave (ugid=103:106 pid=19581) pathfinderd: WARNING:
Tried to add certificate from file /etc/pki/tls/certs/ca-bundle.crt,
but loaded certificate not ok!
Dave Coombs
Aug 18, 2009, 6:04:14 PM8/18/09
to pathfinder...@googlegroups.com
OK. Only thing I can think of is that Pathfinder doesn't like it if
there's anything before the -----BEGIN CERTIFICATE----- header in
the .PEM file. The header should be the first line.
I suppose that qualifies as a bug.
Make sure the file is "clean" and let me know if there's still a
problem.
(I'd have to double-check, but I think it might also only load the
first certificate in any concatenated PEM file. So if there's more
than one cert in a file, you should put them in separate files.)
Thanks,
-Dave
there's anything before the -----BEGIN CERTIFICATE----- header in
the .PEM file. The header should be the first line.
I suppose that qualifies as a bug.
Make sure the file is "clean" and let me know if there's still a
problem.
(I'd have to double-check, but I think it might also only load the
first certificate in any concatenated PEM file. So if there's more
than one cert in a file, you should put them in separate files.)
Thanks,
-Dave
ArkanoiD
Aug 18, 2009, 6:13:37 PM8/18/09
to Pathfinder Mailing List
Thanks! Yes, removing garbage does help. But it is the way certificate
bundles
are distributed - with all that comments and text dumps.. Are there
plans to just
skip everything not between BEGIN CERTIFICATE and END CERTIFCATE, as
well as read multiple certificates from a single file?
On Aug 19, 2:04 am, Dave Coombs <dcoo...@gmail.com> wrote:
> OK. Only thing I can think of is that Pathfinder doesn't like it if
> there's anything before the -----BEGIN CERTIFICATE----- header in
> the .PEM file. The header should be the first line.
>
> I suppose that qualifies as a bug.
>
> Make sure the file is "clean" and let me know if there's still a
> problem.
>
> (I'd have to double-check, but I think it might also only load the
> first certificate in any concatenated PEM file. So if there's more
> than one cert in a file, you should put them in separate files.)
>
> Thanks,
> -Dave
>
> On Aug-18-09, at 5:52 PM, ArkanoiD wrote:
>
>
>
> > It is rpm version fromhttp://www.carillon.ca/tools/downloads/openldap-rpm/
bundles
are distributed - with all that comments and text dumps.. Are there
plans to just
skip everything not between BEGIN CERTIFICATE and END CERTIFCATE, as
well as read multiple certificates from a single file?
On Aug 19, 2:04 am, Dave Coombs <dcoo...@gmail.com> wrote:
> OK. Only thing I can think of is that Pathfinder doesn't like it if
> there's anything before the -----BEGIN CERTIFICATE----- header in
> the .PEM file. The header should be the first line.
>
> I suppose that qualifies as a bug.
>
> Make sure the file is "clean" and let me know if there's still a
> problem.
>
> (I'd have to double-check, but I think it might also only load the
> first certificate in any concatenated PEM file. So if there's more
> than one cert in a file, you should put them in separate files.)
>
> Thanks,
> -Dave
>
> On Aug-18-09, at 5:52 PM, ArkanoiD wrote:
>
>
>
Dave Coombs
Aug 19, 2009, 8:59:26 AM8/19/09
to pathfinder...@googlegroups.com
Yes, that's definitely on our usability to-do list.
Thanks,
-Dave
Thanks,
-Dave
Reply all
Reply to author
Forward
0 new messages