Re: Question regarding Digital Certificates in LDAP

[Chris R. <Chr...@me...>]

On Mon, 17 Jul 2000 07:53:11 CDT, Mark Wilcox wrote:
> To store certificate in an entry is simple. You simply slurp its into a
> scalar (e.g. $certificate) as a binary and store in the
> usercertificate;binary (there is an optional text representation under
> LDAP v2, but I don't know it and everybody is now building their
> products for binary).

The LDAPv2 string representation was not optional, but it was so broken 
that nobody ever used it. You can basically assume that for an LDAPv2 
server the value of the userCertificate attribute was the BER encoding 
of the certificate. (In LDAPv3 the value of the "userCertificate;binary"
 attribute is the BER encoding of the certificate.)

> The certificate can either be encoded as DER (Distinguished Encoding
> Rules) or PEM (Privacy Enhanced Mail), which essentially is BASE64
> encoded DER (though don't just Base64 DER and expect everything to work
> ;), read up on it first through the openSSL mail archives).

The directory *requires* the certificate to be the BER value - anything 
else is incorrect and will only work on broken LDAP servers.

(Note I keep writing BER instead of DER :-)

Cheers,

Chris