[ldap] Re: SSL/TLS certificate issues

Tue, 27 Feb 2007 01:38:58 -0800 

Michael Ströder wrote:

Magnus Morén wrote:

2)  What is the "best practice" here? Try to get Verisign to include
subjectaltname OR 

A CA is free to issue certs based on their policy which also contains a
cert profile (including the extensions). One might suspect that
subjectAltName might be regarded as extension causing harm to the
pay-per-DNS-name business of Verisign...


True.


Does anybody knows about another CA (other than Verisign) that can 
include subjectAltName ?




Do you benefit in any way of the pre-installed CA certs of Verisign? If
no, run your own CA.



The benefit of using a pre-installed CA cert is the fact that I do not 
need to install my own CA in all client systems.



We are in the position right now where we can choose to do either way, 
but we want to choose "the best way". We do not know which clients and 
systems we will use in the future and we try to make it as easy as 
possible for as many systems as possible (ie mail, web portals, printing 
systems, in-house apps, web-browsers, mail clients, cell phones(?), ...)




And why not simply install the same cert and key pair on all your
replicas? Are the hostnames xyz1.hh.se or xyz2.hh.se also directly used
with SSL/TLS (e.g. for replication)?



We do use the xyz-name for replication, but it is probably ok do 
replication without encryption.



My concern with this "use the same cert and key pair on all your 
replicas" is the following text from the installation documentation of 
our LDAP server software:



"SYMAS , Installation Guidelines and General Information for Connexitor 
Directory Services Version 3"



    "The only field where an answer is prescribed is the Common Name 
(CN) field. For this field you MUST enter the fully qualified dns name 
of the machine on which the CDS server (slapd) will be running. Note 
that this name must match what the reverse DNS lookup will return, so a 
made-up DNS name will not work."



My reverse DNS name is different on all the replicas.


--
Magnus Morén____________________________________________
Central IT (CITE), Halmstad University,       035-167383
Box 823, 301 18 HALMSTAD, epost: [EMAIL PROTECTED]

---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.






















					Reply via email to