[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Some TLS questions

To: Jean-Rene Cormier <jean-rene.cormier@cipanb.ca>
Subject: Re: Some TLS questions
From: Andreas <andreas@conectiva.com.br>
Date: Wed, 21 Jul 2004 12:26:13 -0300
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <1090407832.18749.16.camel@forbidden.cipanb.ca>
References: <1090407832.18749.16.camel@forbidden.cipanb.ca>
User-agent: Mutt/1.5.5.1i

On Wed, Jul 21, 2004 at 08:03:52AM -0300, Jean-Rene Cormier wrote:
> Is there a way I can create the certificate so I can connect to the
> server using different hostnames so I could use CNAMEs to make
> openldap.mydomain.com point to hostname.mydomain.com?

yes, use subjectAltName. Works perfectly, I just tried it yesterday.
You will need something like this in the usr_cert section in your 
openssl.cnf file if you are generating your own certificates:

subjectAltName = DNS:server.company.com,IP:1.2.3.4

Just an example, of course. I guess wildcards are also allowed, but
I haven't tried those.

> Also this is not really specific to OpenLDAP and more of a generic
> SSL/TLS question but if you have different services running on one
> server do you use the same certificate/private key for both services or
> do you create a new one? If you create a new one, can you use the same
> CN for both certificate?

I would use a new certificate/key pair for the other service.

Follow-Ups:
- Re: Some TLS questions
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Some TLS questions
  - From: Jean-Rene Cormier <jean-rene.cormier@cipanb.ca>

Prev by Date: Re: OpenLDAP SSL/TLS How-To by D. Kent Soper
Next by Date: Re: SASL in ldap.conf
Index(es):
- Chronological
- Thread