[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Multi-homed machine and TLS

Again, if I am not wrong, let me clarify:
The two certs in my cacert.pem at my LDAP clients are neither Server cert or CA certs, they are "Server Certs Self-Signed by a CA Cert generated at the server". The file name happened to be named "cacert.pem", one can call it anything.
I did not send any server cert to valid CA and paid for the signing service. Most testing systems use self signed certs.
-----Original Message----- 
From: Greg Matthews [mailto:gmatt@nerc.ac.uk] 
Sent: Wed 9/15/2004 6:50 PM 
To: Tay, Gary 
Cc: Imobach González Sosa; openldap 
Subject: RE: Multi-homed machine and TLS

	On Wed, 2004-09-15 at 11:27, Tay, Gary wrote:
	> I have the similar requirement as yours:
	> I am using start_tls and when MASTER LDAP Server is down, the LDAP
	> Client will look for SLAVE LDAP Server using TLS, and the FQDN will be
	> changed to SLAVE LDAP Server as indicated in /etc/ldap.conf and
	> $ETC_OPENLDAP/ldap.conf
	> If I am not wrong (I think I must always quote this "protection"
	> clause), u could generate additional server certs using the 2nd
	> commonName, and COMBINE all the certs into a SINGLE cacert.pem, I am
	> not sure the end result if u were to do this at the multi-homed LDAP
	> Server end, I did this at the LDAP client end for LDAP MASTER to SLAVE
	> faillover to work.
	you are mixing up server certificates and CA certificates. You only need
	one CA certificate to verify all server certificates generated by that
	CA. Therefore your clients only need one CA cert in cacert.pem to verify
	the master and slave server certs, unless they are issued by seperate
	CAs in which case, it is fine to put the two CA certs into one file.
	The original problem is that the LDAP server may have a number of
	genuine names/aliases but the cert will only have one CN. using
	SubjectAltName is the correct way to do things but many clients do not
	use this extension (Solaris anyone?) so it is not a foolproof solution.
	Greg Matthews
	iTSS Wallingford        01491 692445