[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[SOLVED] Re: multiple servers in DNS and TLS
Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> > Is there some kind of trick to get this done properly?
> Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR:
foo IN A 192.0.2.11
bar IN A 192.0.2.12
ldap 1 IN A 192.0.2.11
ldap 1 IN A 192.0.2.12
Create certificate for foo:
subjectAltName=DNS:ldap.example.net,DNS:foo.example.net
CN=ldap.example.net
Create certificate for bar:
subjectAltName=DNS:ldap.example.net,DNS:bar.example.net
CN=ldap.example.net
On foo and bar, for generating the CSR, i needed that in
/etc/openssl/openssl.cnf, in order to have openssl asking for
subjectAltName
[ req ]
(...)
distinguished_name = req_distinguished_name
(...)
[ req_distinguished_name ]
(...)
subjectAltName = Alternative Subject Name
subjectAltName_default = DNS:fqdn
On the CA, for signing the certificate, I needed that in
/etc/openssl/openssl.cnf :
[ ca ]
default_ca = CA_default
[ CA_default ]
(...)
policy = policy_match
[ policy_match ]
(...)
subjectAltName = optional
Then, I have been able to use URI ldaps://ldap.example.net:636 in
ldap.conf
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org