[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: SSL certificates, kerberos keytabs, and load balancing [Virus checked]

To: <denis.havlik@t-mobile.at>
Subject: Re: Antwort: Re: SSL certificates, kerberos keytabs, and load balancing [Virus checked]
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 14 Apr 2004 11:33:03 +0200 (CEST)
Cc: <quanah@stanford.edu>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <OFC548A625.365A85EA-ONC1256E76.002ED967-C1256E76.002FCC2B@t-mobile.at>
References: <OFC548A625.365A85EA-ONC1256E76.002ED967-C1256E76.002FCC2B@t-mobile.at>

>>Actually, I'm not. ;) We stopped using verisign and moved to
>> InstantSSL.  The problem there is they do not support subjectAltName
>> tags.  Do you
> know
>>a vendor that does?  For various reasons, I cannot use self-signed
>> certs
> on
>>our production servers, or I'd just go that route.
>
> Why would you use the self-signed certificates?
>
> 1) Self-signed certs aren't a particularly good solution security-wise
> 2) openLDAP software doesn't like them. (or maybe I've been doing
> something wrong at that time...)

Default behavior.  You can disable it, I don't remember how
but it's documented in the Admin Guide under TLS.

p.

> 3) Establishing an internal CA is not such a big deal.
>
> CAs are a matter of trust. In a company, I trust the "security" folks in
>  the IT, in the outside world I trust Verisign(*)...

Agree, although, if you have only one server and no IT department,
a self-signed is not too bad a choice.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Antwort: Re: SSL certificates, kerberos keytabs, and load balancing [Virus checked]
  - From: denis.havlik@t-mobile.at

Prev by Date: Re: Antwort: Re: distributed directories [Virus checked]
Next by Date: benchmarks &real world
Index(es):
- Chronological
- Thread