Hi,
Sorry to trouble you again.
> The Subject of a certificate is the _owner_ of the certificate, i.e. in
> context of an SSL webserver the DN which described the server. The DN here is
> usually something like
I see, but will someone check the subject (manually?) for the identity of the
owner through LDAP ? I just wonder if there will be problem when the
"identify" of an object found in LDAP and a certificate is different. I
always get confused when talking about the "identity" of an object. Maybe it's
a bit off topic : Can I identify someone globally and uniquely ?
> /C=XY /ST=Snake Desert /L=Snake Town
> /O=Snake Oil, Ltd /OU=Webserver Team /CN=www.snakeoil.dom
>
> where CN is the most important part: it's the FQDN of the webserver. But when
> you use mod_ssl's "make certificate" procedure to generate your server
> certificate you get reasonable sample/defaults. Just adapt these
> sample/defaults to your local situation and you get a reasonable Subject DN.
>
> > Some documents mention that it's the DN.
> > Does this DN correspond to entry
> > in my LDAP DIT ?
>
> Yes, DN stands for Distinuished Name here, too. And it's really a X.509 DN
> which is also used by LDAP (because LDAP is based on the X.500/X.509 scheme,
> too). So the Subject DN of your server _can_ correspond to the DN in your LDAP
> database when you have an entry for your server there. But it hasn't, of
> course. Because SSL is independent of LDAP/X.500. It just uses certificates
> which are based on the the same X.509 standard.
>
> > Can I have different DNs in LDAP and certificate?
> > I apologize for any faq.
>
> Sure. Apache+mod_ssl doesn't query your LDAP database...
In fact, we're in the process of set up LDAP and CA locally. However, there's
long discussion here about the DN definition. Someone proposed the "dc" model
- to have DN: uid=<unique id>, dc=cuhk, dc=edu, dc=hk, according to rfc2247,
while someone suggested using the DN in a certificate (like those generated
by SSLeay). Currently our applications will check the RDN's in an entry, e.g.
mail, while some applications (like Communicator) only checks certain attributes
(e.g. mail) when talking to LDAP instead of using the DN.
Although there's no immediate need for extracting information from certificate,
it'll be a nightmare to change the DN after production. :(
Any comment ?
Thanks again.
Sincerely,
ST
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
