[Date Prev][Date Next]
Re: multiple server certificates
Quanah Gibson-Mount wrote:
--On Tuesday, April 29, 2008 2:57 PM -0700 Howard Chu<email@example.com> wrote:
I'm also skeptical about the motivation for this discussion. If you have
separate certs from separate CAs, then you really have distinct security
domains so I don't understand why you need them to share databases. You
might as well just run separate slapds.
Multiple addresses from different domains on a given interface come to
mind, where the database is particularly large, so you don't want to have
multiple slapd's taking up the resources. That way each address could be
secured via SSL, but access the same DB with a single slapd. Say, for
example, x.google.org and y.google.com.
You can only have one listener per interface, so none of those considerations
Again, if you're really serving multiple distinct security domains, then I
don't see what data would be shared between them. It would be poor security
practice to have them sharing anything.
This is the real question - why are you using server certs from different CAs?
It seems Hallvard will have to answer that, since he posed the original question.
If it were just about mapping multiple DNS names to the same server, you
wouldn't need to involve multiple CAs. You would just use a single cert, with
multiple subjectAltNames. The use of different CAs means you have totally
different administrative realms, different political authorities, and
different policies. It is extremely unlikely that two different administrative
bodies with different policies would jointly administer the same database.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/