Re: Load-Balanced LDAP Servers + TLS/SSL

[lf+openldap@emyr.net]

On Thu, Oct 11, 2001 at 09:09:00AM -0700, Zachary Denison wrote:
> How exactly do we add a subjectAltName field.  Do I
> simply edit openssl.cnf and add the following lines?
> 
> subjectAltName = "8. SubjectAltName (FQDN)"
> subjectAltName_max              = 64
> subjectAltName_default          = www.snakeoil.com
> 
> then it DOES prompt me to entry a subjectAltName but
> is it being inserted in the correct place?

I don't think so. In my cnf file (I have a custom one for my domain), I
have the following:

  x509_extensions = usr_cert

which means that the subjectAltName field must be in the [ usr_cert ]
section:

  [ usr_cert ]
  subjectAltName=DNS:ldap.example.com

I tried adding the _max and _default directives, but I was not prompted.
I don't think all the fiels in the cnf file can be set up to offer
prompts.

You can check that your certificate has the alternate name as follows:

  openssl x509 -in <certificate file> -text -noout | less

   X509v3 extensions:
    ...
        X509v3 Subject Alternative Name: 
            DNS:ldap.example.com
    ...

Which brings up a final point. The certificate you generate must be an
x509 certificate. Can you tell that I'm new at this? I'm using an
ca.sh (certificate authority) shell script to manage all this stuff for
me.

Yours,

Luca

> --- Howard Chu <hyc@highlandsun.com> wrote:
> > You should re-read section 3.6 of RFC 2830. In particular, you
> > should look into using the subjectAltName/DNSname extension in your
> > server certificates.  This will allow you to list both the
> > load-balanced name "ldap.example.com"

-- 
Luca Filipozzi
[dpkg] We are the apt. Resistance is futile. You will be packaged.