[Date Prev][Date Next]
Re: Antwort: Re: SSL certificates, kerberos keytabs, and load balancing [Virus checked]
>>Actually, I'm not. ;) We stopped using verisign and moved to
>> InstantSSL. The problem there is they do not support subjectAltName
>> tags. Do you
>>a vendor that does? For various reasons, I cannot use self-signed
>>our production servers, or I'd just go that route.
> Why would you use the self-signed certificates?
> 1) Self-signed certs aren't a particularly good solution security-wise
> 2) openLDAP software doesn't like them. (or maybe I've been doing
> something wrong at that time...)
Default behavior. You can disable it, I don't remember how
but it's documented in the Admin Guide under TLS.
> 3) Establishing an internal CA is not such a big deal.
> CAs are a matter of trust. In a company, I trust the "security" folks in
> the IT, in the outside world I trust Verisign(*)...
Agree, although, if you have only one server and no IT department,
a self-signed is not too bad a choice.