Re: Storing TLS credentials in the directory

Tue, 11 Apr 2017 13:24:05 -0700 

Quanah Gibson-Mount wrote:

--On Sunday, April 09, 2017 9:57 PM +0100 Howard Chu <h...@symas.com> wrote:


You cannot write a decent design from scratch. It's important to have a
baseline of functionality to get an idea of scope. The current overlay
provides that baseline.


Some immediate things I see after reading the man page for the current autoca
are:

a) Not going to work well for databases that use "" as a suffix, and then
support multiple domains beneath that (Zimbra had many customers that did
this.  One customer handled 10k unique top level domains.)

b) Related to the above, importing CA's for those customer domains would fail
(because they aren't located in the suffix)
I figured you would mention that. None of those are a target use case. If you're running infrastructure for a lot of different domains, you are probably already using some other full-blown CA.
My primary use for this is quick setup within a single domain. Typically for private networks. No web browser is going to recognize an auto-generated CA cert, so it's not really suited for (nor intended for) certificates that will be used by a general public. 


c) While there is an option to specify the keysize, there is no option to
specify the digest to use.  There should be a note on what the default digest
is, and an option to use other digests.  With Zimbra, we had a default of
sha256, and options of ripemd160, sha, sha1, sha224, sha256, sha384, sha512
Could add that. It uses whatever the OpenSSL default algorithm is, currently sha256. 


d) I don't see a mechanism for creating star certs, which can be fairly
critical.  I also don't see a mechanism for doing multiple DNS names, which
can be critical for a server with several CNAMES names.
Again, unlikely for private setups. But if you can suggest an attribute that the overlay can read to retrieve multiple DNS names it could of course be added. 

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>






--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to