no need for wildcard certs… use the Subject Alt Name. Works fine. Been doing it for years. certutil supports it as well.
/mrg On May 12, 2014, at 12:08 PM, David Boreham <[email protected]> wrote: > > On 5/12/2014 9:53 AM, Elizabeth Jones wrote: >> >> Do the certs have to have the server hostnames in them or can I create a >> cert that has a virtual name and put that on all the LDAP servers? >> > If I understand the scenario : you are using a LB that passes through SSL > traffic to the LDAP servers without terminating the SSL sessions (packets > come in from clients, and are sent to the LDAP server of choice untouched by > the LB). In that case you can deploy a cert on all the LDAP servers with the > virtual hostname the client use to make their connections to the LB. The > clients will validate the cert presented because its hostname matches the one > they used to make the connection. > > However, note that any LDAP client that needs to make a connection to a > specific server (bypassing the LB) will now see the "wrong" hostname and > hence fail the certificate host name check. (e.g. replication traffic from > other servers). > > A wild card host name may be a good solution in this case. > > There may be a way to get the LDAP server to present different certificates > depending on the source IP (hence avoiding the need for a wildcard cert), but > I don't remember such a feature existing off the top of my head. > > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
