Date: Tue, 18 Sep 2007 08:39:55 -0600 From: Richard Megginson rmeggins@redhat.com
Yes, very. http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
<quote>
NOTE - *Do not use cn=server-cert for your server certificate*. In step 7 of the linked instructions, it says to use certutil .... -s cn=server-cert - this will cause clients to fail to validate the cert. Instead, you must use the fully qualified domain name of your server host as the value of the cn attribute in the subject DN. For example, if your directory server hostname is foo.example.com, use
Also look at the constraints in RFC4513, section 3.1.3. Use subjectAltName extensions to get more flexibility here.
../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \ -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt
to generate your server cert. This is the minimum. You may wish to provide your clients with more details about your server. For more information, see RFC 1485 http://www.ietf.org/rfc/rfc1485.txt. You could choose to specify the subject DN like this:
../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ...
</quote>
Note that this also means that if you use cn=foo.example.com, clients must be able to resolve the server's IP address to "foo.example.com". If you don't care/can't do this, then use TLS_REQCERT never in your /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly recommend you do not do this though.
Agreed, bad idea. By the way, the OpenLDAP libraries never do a DNS lookup on the name you provide, so whether the name resolves or not doesn't matter. We expect the name passed in to exactly match the CN, or to match the subjectAltName.
389-users@lists.fedoraproject.org