Hello, I have a problem understanding how cacert.pem works on openldap 2.4 under centos.
I have an extremely heterogeneous machine park (with openldap customers and other owners) So I have 2 Certificates (CA and intermediate CA) self-signed with the MD5withRSA algorithm and the same 2 certificates self-signed with the SHA1withRSA algorithm. The 4 certificates are therefore in the cacert.pem of the server and the clients. (keystore) It works perfectly for old servers but for new ones I have to force the use of TLS 1.1 because of the algorithms. I have two problems: If I just paste the 2 certificates in MD5 in the client keystore, it works, but if I leave the 2 certificates in SHA1, it does not work (bad certificate). I don't understand how openldap reads the file when there are multiple choices . He starts with the first couple, if that doesn't work he goes to the next one? So the idea would be to generate 2 new certificates identical to the others but with a SHA254 signature for example to work in TLS 1.2/1.3 and keep ldap compatibility with old servers. The cacert.pem file of the OpenLDAP server would therefore have 6 certificates and the clients following their OS would have the appropriate pair of certificates. Could this work? or for clients I leave the cacert the same and it will choose what it needs to establish the TLS connection? I am a little lost ... best regards Fred,
