[Date Prev][Date Next]
RE: Multi-homed machine and TLS
Again, if I am not wrong, let me clarify:
The two certs in my cacert.pem at my LDAP clients are neither Server cert or CA certs, they are "Server Certs Self-Signed by a CA Cert generated at the server". The file name happened to be named "cacert.pem", one can call it anything.
I did not send any server cert to valid CA and paid for the signing service. Most testing systems use self signed certs.
From: Greg Matthews [mailto:firstname.lastname@example.org]
Sent: Wed 9/15/2004 6:50 PM
To: Tay, Gary
Cc: Imobach González Sosa; openldap
Subject: RE: Multi-homed machine and TLS
On Wed, 2004-09-15 at 11:27, Tay, Gary wrote:
> I have the similar requirement as yours:
> I am using start_tls and when MASTER LDAP Server is down, the LDAP
> Client will look for SLAVE LDAP Server using TLS, and the FQDN will be
> changed to SLAVE LDAP Server as indicated in /etc/ldap.conf and
> If I am not wrong (I think I must always quote this "protection"
> clause), u could generate additional server certs using the 2nd
> commonName, and COMBINE all the certs into a SINGLE cacert.pem, I am
> not sure the end result if u were to do this at the multi-homed LDAP
> Server end, I did this at the LDAP client end for LDAP MASTER to SLAVE
> faillover to work.
you are mixing up server certificates and CA certificates. You only need
one CA certificate to verify all server certificates generated by that
CA. Therefore your clients only need one CA cert in cacert.pem to verify
the master and slave server certs, unless they are issued by seperate
CAs in which case, it is fine to put the two CA certs into one file.
The original problem is that the LDAP server may have a number of
genuine names/aliases but the cert will only have one CN. using
SubjectAltName is the correct way to do things but many clients do not
use this extension (Solaris anyone?) so it is not a foolproof solution.
iTSS Wallingford 01491 692445