Peer's certificate issuer is unknown while certificates have been added

Thu Sep 20 02:01:49 CEST 2012

Dear mailinglist,

I am not sure whether this is a silly question but I have been unable to 
solve it or find a decent answer online.

We, a group of students supplying services to student's assemblies for 
the local university, are trying to connect to the university's ldap 
server which uses ssl.
We have correct ldap details but gnuTLS considers the connection to be 
insecure. (I check it could only be tls by allowing insecure ldap 
transactions for a second).

I went on to test things using gnutls-cli:
Resolving 'ldap.kuleuven.be'...
Connecting to '134.58.127.92:636'...
- Certificate type: X.509
  - Got a certificate list of 4 certificates.
  - Certificate[0] info:
   - subject `C=BE,L=Leuven,O=Katholieke Universiteit 
Leuven,OU=Competentiecentrum Informatiebeveiliging,CN=ldap.kuleuven.be', 
issuer `C=NL,O=TERENA,CN=TERENA SSL CA', RSA key 2048 bits, signed using 
RSA-SHA1, activated `2012-01-25 00:00:00 UTC', expires `2015-01-24 
23:59:59 UTC', SHA-1 fingerprint `9dc847d52b4e478b314dccbbf0382645822062db'
  - Certificate[1] info:
   - subject `C=NL,O=TERENA,CN=TERENA SSL CA', issuer `C=US,ST=UT,L=Salt 
Lake City,O=The USERTRUST 
Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 
2048 bits, signed using RSA-SHA1, activated `2009-05-18 00:00:00 UTC', 
expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint 
`3a881764472b6441ddb3afdd47c6b8b76ee7ba1d'
  - Certificate[2] info:
   - subject `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST 
Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', issuer 
`C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust 
External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated 
`2005-06-07 08:09:10 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 
fingerprint `3d4b2a4c64317143f50258d7e6fd7d3c021a529e'
  - Certificate[3] info:
   - subject `C=SE,O=AddTrust AB,OU=AddTrust External TTP 
Network,CN=AddTrust External CA Root', issuer `C=SE,O=AddTrust 
AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA 
key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 
UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint 
`02faf3e291435468607857694df5e45b68851868'
- The hostname in the certificate matches 'ldap.kuleuven.be'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

Based on this I contacted the IT department and they send me 3 of the 4 
mentioned certificates which they told me I should add to our pool. I 
did this and also added the fourth one which was missing. The 
certificates were exact to the ones presented when asking for more 
debugging information from gnutls-cli.

The procedure I followed to add the certificates was: I created a 
directory /usr/share/ca-certificates/ldap.kuleuven.be and added all 
certificates in seperate files and in one file combined as well. Next I 
edited /etc/ca-certificates.conf to add all of those files and ran 
update-ca-certificates. All certificates turned up nicely in /etc/ssl/certs/
I verified that all permission were correct. Our webserver which is 
doing these connections uses Ubuntu 12.04 Server which uses gnutls 
3.0.11 if that is of any use to you.

Now I think I've added these certificates correctly and they should be 
recognised.
Am I perhaps adding the wrong files and do I not need certificates but 
the big CAchains? Am I doing something else wrong?

Some help would be of great use to us, especially with the start of the 
academic year around the corner.

If any more information is required please do respond, I will supply any 
information promptly.

Thanks in advance.

Kind Regards,
Bert Van de Poel.
ULYSSIS