Hi I am planning to deploy all my ldap server by puppet. so I am wondering, Can i use Same Server Certificate and CA certificate (Directory server) for all my server ???
if yes, then under which directory shall i place those certificate ??
Thanks for help Robert
expert alert wrote:
Hi I am planning to deploy all my ldap server by puppet. so I am wondering, Can i use Same Server Certificate and CA certificate (Directory server) for all my server ???
if yes, then under which directory shall i place those certificate ??
Certificates typically have the hostname embedded in the subject so it is specific to that host. The exception is wildcard certs (*.example.com). So unless you have a wildcard cert, which I'm not really recommending, you'll need to get separate certs for each of your servers.
I'm a cli guy, so I don't know how you'd do this in console, but the certs and keys go into the NSS database in /etc/dirsrv/slapd-YOUR-INSTANCE
rob
You can also use a SAN cert, and put in just the names of the servers you will be using. Maybe better than using a wildcard cert.
ie:
ldap1.example.com ldap2.example.com
On Tue, Apr 16, 2013 at 2:04 PM, Rob Crittenden rcritten@redhat.com wrote:
expert alert wrote:
Hi I am planning to deploy all my ldap server by puppet. so I am wondering, Can i use Same Server Certificate and CA certificate (Directory server) for all my server ???
if yes, then under which directory shall i place those certificate ??
Certificates typically have the hostname embedded in the subject so it is specific to that host. The exception is wildcard certs (*.example.com). So unless you have a wildcard cert, which I'm not really recommending, you'll need to get separate certs for each of your servers.
I'm a cli guy, so I don't know how you'd do this in console, but the certs and keys go into the NSS database in /etc/dirsrv/slapd-YOUR-**INSTANCE
rob
-- 389 users mailing list 389-users@lists.fedoraproject.**org 389-users@lists.fedoraproject.org https://admin.fedoraproject.**org/mailman/listinfo/389-usershttps://admin.fedoraproject.org/mailman/listinfo/389-users
On 16.4.2013 23:10, Kyle Flavin wrote:
On Tue, Apr 16, 2013 at 2:04 PM, Rob Crittenden rcritten@redhat.com wrote:
expert alert wrote:
Hi I am planning to deploy all my ldap server by puppet. so I am wondering, Can i use Same Server Certificate and CA certificate (Directory server) for all my server ???
if yes, then under which directory shall i place those certificate ??
Although it is technically possible, it is not recommended.
All servers will share the same private key, so the chance that the key will be compromised is bigger - you need to transfer the key securely from one server to another etc.
Could you explain your use case? I'm curious :-)
389-users@lists.fedoraproject.org
-
expert alert -
Kyle Flavin -
Petr Spacek -
Rob Crittenden