I have (for some days now) worked on activating SSL/TLS om my
LDAP-server and have run into problems.
1) I have two identical LDAP-severs, xyz1.hh.se and xyz2.hh.se with
replication. All working nicely.
2) Both servers answers to the name ldap.hh.se (ie DNS round-robin of
the two ip-numbers).
My first setup was to create a CA and sign the two host certificates
with this CA (ie "self signed" or "closed community").
I also added "subjectAltName=DNS:ldap.hh.se,DNS:*.hh.se" to my host
certificate.
This setup worked as expected and we have tested a lot various clients,
software, os (windows, *nix, mac), applications, mail-systems, ... .
During the tests we realized that the CA certificate must be
installed in the clients as a trusted root certificate and this can be
more or less complicated from system to system.
This experience gave the next approach, to buy a commercial certificate
(from Verisign). Now I have a trusted root certificate on most of the
clients. Good. No more special CA installation on the client side...
But... when i finally installed the "real" certificate on the ldap
servers i realized that the subjectaltname" was removed by Verisign and
now i can't connect to ldap.hh.se with some clients. Connecting to
xyz1.hh.se or xyz2.hh.se directly works fine.
The questions, finally :-)
1) Have I missed something in this? I may have done something the wrong
way.
2) What is the "best practice" here? Try to get Verisign to include
subjectaltname OR to use "closed community" certificates and install my
own trusted root CA on clients (or maybe some other way to solve tis).
3) Any other input or suggestions?
--
Magnus Morén____________________________________________
Central IT (CITE), Halmstad University, 035-167383
Box 823, 301 18 HALMSTAD, epost: [EMAIL PROTECTED]
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
