Re: N-Way-Multimaster Configuration

[Brian Reichert <reichert@numachi.com>]

On Tue, Jan 14, 2014 at 03:09:43PM -0500, Borresen, John - 0442 - MITLL wrote:
> These will be self-signed certs.  Internally facing servers, approximately 120 to 200 client end-user machines, and 200 to 500 "other" servers.
> 
> We, that is my group, does not "own" the facilities domainname (llan.ll.mit.edu); our ldap name is does not have the mit.edu in its name -- long story.

Do you mean that you'll be accessing these hosts using non-fully
qualified hostnames? (e.g. 'server1.llan.ll' or 'server1' ?)  If
so, you can put these names in the SAN list.  You can put IPs in
there, too, but MS wants special treatment for that...

Really, though, as you're doing this all privately, you need to
consider:

- How often would the membership of your cluster change (adding/removing
  hosts)?

- How are you distributing the trust of the signer?  One CA means
  your clients only need to be told once about the signer, and
  self-signed means your clients needs to be told about each cert.
  (Well, each signer, but sounds like it's implicitly fluid, given
  the prior question.)

If
- cluster membership will change
- you don't want to touch each client when that happens
- you're using non-fully qualified hostnames

The I think you'll benefit from a CA, rather than self-signed
certificates.

That doesn't address wildcard vs a SAN list.  Can you forecast that
the current and future hostnames for your cluster will always be
expressible as a wildcard?  If not, consider a SAN list.

-- 
Brian Reichert				<reichert@numachi.com>
BSD admin/developer at large