Controlling Certificates Presented In The Chain By Server To Clients (MMP/MTA/etc)
(Doc ID 2626728.1)
Last updated on JANUARY 09, 2020
Applies to:Oracle Communications Messaging Server - Version 8.0.2 and later
Information in this document applies to any platform.
As part of a requirement to enable TLS for all inter-system communication within Messaging Server, LDAPS was configured for UG lookups on MMP.
The certificate being used on the DSEE is a public CA signed certificate. The DSEE presents 3 certificates in the chain:
0 - server cert (a wildcard domain certificate)
1 - the CA's intermediate certificate which signed the server cert and was applied to the DSEE
2 - the CA's root certificate which the DSEE has within it's built in CA truststore
The MMP was already providing TLS enabled services to POP & IMAP clients. The certificates in the MMP database were the same as 0 and 1 mentioned above. 2 was not included because clients will already have that in their CA truststore.
Initially, LDAPS for UG binding was not working:
Is there a way to control the certificate chain such that the root CA (2) is not presented to clients? It is not required to be presented since the intermediate is presented and the clients can validate the chain of trust. It is possible that old/bad clients will interpret the root CA cert as self-signed (because it is) and have an issue.
Enable TLS for all inter-system communication within Messaging Server
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document