Re: Multiple TLS keys or single key?

[Frank Swasey <Frank.Swasey@uvm.edu>]

Today at 5:09pm, Maarten Thibaut wrote:

> As the cn: part of an SSL key needs to contain the fully qualified domain
> name of the host, what about machines with >1 hostname?

You need to set up their certificate so they understand all their names 
in (to the best of my knowledge) their one certificate.

> Should I use several keys on the same slapd server? Or should I create a
> key with >1 hostname in its cn list (I've heard that this is possible, but
> cannot find any documentation on this subject).
> 
> If it _is_ possible to have > 1 host per key, how can it be done?

If you are using a single instance of slapd (not running a slapd for 
each fqdn with different ports for each one), then I believe you are 
limited to a single certificate.  I have not found any globally 
recognized certificate makers who will make you a certificate that will 
keep the subjectAltName values.  You would need to have a DNS:fqdn entry 
for each of the hostnames (beyond the primary name of the machine) that 
clients will use to contact your server.

> If we should use > 1 key per host, how should they be configured in
> slapd.conf? Should each of the keys be specified as a
> TLSCertificateKeyFile in slapd.conf?

I think it is not possible to do that.  I believe (and if I'm wrong, I 
hope someone will correct me) that you either have to generate a 
certificate using subjectAltName keyword listing fqdn's 2 through n or 
you need to run multiple instances of slapd each with its own config 
file (thus able to have its own certificate/key) and not able to share 
databases.

> Thanks for any help with this!
> 
> maarten
> 

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===