On Tue, 2018-02-20 at 16:00 +0100, Francesco Marchesi wrote: > Hi. > We are in the process of renewing the certificates of our two 389DS > servers which sync through multimaster replication. > We are currently using a self-signed certificate shared between the > two > servers. > Our topology is like this: > > HAProxy : ldap.example.com for load balancing > LDAP1 : ldap1.example.com > LDAP2 : ldap2.example.com > > Connections are made from clients to ldaps://ldap.example.com which > sends requests to either ldap1 or ldap2 > Following the 'SSL howto' [1] we would like to have separate 'real' > certificates for the two servers. > If I'm not wrong, the certificate signing requests should be created > in > each of the two 'real' servers for their real name and adding > ldap.example.com as subjectaltname. > Is that correct?
That is correct! Today you actually need ldap.example.com AND ldap1.example.com in the subjectAltName, because that's the "definitive" field. I think the rule is "if a SAN is present use it for hostnames instead of CN in the subject". > If yes, then I have another question: having the two certificates it > is > not important which one clients use, is it? No, because the clients trust the CA that issues the two certs, not the individual certs themselves. Hope that helps! > Thanks, > Francesco > > [1] http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.htm > l > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o > rg -- Thanks, William Brown _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
