I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server supports wildcard server certificate. Currently the subject for my instance is:
Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
When using wildcard, it will be:
Subject: "CN=*.christianbook.com,OU=389 Directory Server"
Is it possible?
I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it?
Thanks, - xinhuan
On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server supports wildcard server certificate. Currently the subject for my instance is:
Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
When using wildcard, it will be:
Subject: "CN=*.christianbook.com,OU=389 Directory Server"
Yes.
Is it possible?
I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it?
No sorry. Wild cards cost a lot.
I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs.
So you make a cert with:
certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g 2048\ -s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \ -8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr
This certificate once signed would be useable with:
* nss.dev.example.com * nss-alt.dev.example.com
There's no real limit to how many alternative names you can have, but it's a good idea to plan your deployment so you don't have to keep re-issuing these when you request more certs.
Remember, this still needs signing so you would need to send the .csr to your CA
I hope that helps you,
Thanks,
- xinhuan
-- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.or...
Hello William, Thanks for your valuable information. For SubjectAlternativeNames, the alternative names you have shown in the example contains '-' symbol, like 'nss-alt.dev.example.com'. Is '-' symbol required in the server's hostname? Since we don't use that hostname naming convention. We use something like 'nssdev1.example.com', 'nssdev2.example.com'. So if I purchase 'nssdev.example.com' SubjectAlternativeNames, would it work for 'nssdev1.example.com' and 'nssdev2.example.com'? - xinhuan From: William Brown wibrown@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Sent: Sunday, June 12, 2016 5:22 PM Subject: [389-users] Re: 389 directory server wildcard certificate
On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server supports wildcard server certificate. Currently the subject for my instance is:
Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
When using wildcard, it will be:
Subject: "CN=*.christianbook.com,OU=389 Directory Server"
Yes.
Is it possible?
I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it?
No sorry. Wild cards cost a lot.
I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs.
So you make a cert with:
certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g 2048\ -s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \ -8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr
This certificate once signed would be useable with:
* nss.dev.example.com * nss-alt.dev.example.com
There's no real limit to how many alternative names you can have, but it's a good idea to plan your deployment so you don't have to keep re-issuing these when you request more certs.
Remember, this still needs signing so you would need to send the .csr to your CA
I hope that helps you,
Thanks,
- xinhuan
-- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.or...
On Mon, 2016-06-13 at 16:15 +0000, xinhuan zheng wrote:
Hello William, Thanks for your valuable information. For SubjectAlternativeNames, the alternative names you have shown in the example contains '-' symbol, like 'nss-alt.dev.example.com'. Is '-' symbol required in the server's hostname? Since we don't use that hostname naming convention. We use something like 'nssdev1.example.com', 'nssdev2.example.com'.
It's not required, it just how I do my naming.
I personally use:
<service>.domain.tld -> CNAME to the instance OR load balancer A/ AAAA <inst>-<location>.<class>.domain.tld -> CNAME to the server <hostname>.class.domain.tld -> The server
For example.
ldap.example.com CNAME ldap01-bne.prd.example.com ldap01-bne.prd.example.com CNAME mai.prd.example.com ldap01-adl.prd.example.com CNAME kag.prd.example.com mai.prd.example.com A 172.24.0.1 kag.prd.example.com A 172.25.0.1
You can use whatever you like though :) Any valid DNS name can be a subjectAlternativeName.
So if I purchase 'nssdev.example.com' SubjectAlternativeNames, would it work for 'nssdev1.example.com' and 'nssdev2.example.com'?
No.
You need to list *every* name on the cert.
So for you, I would advise you have:
ldap.example.com ldap01.example.com ldap02.example.com ldap03.example.com ... as needed.
But you can have many names, so there is no issue here.
For my previous example, I would have as subject alternative names:
ldap.example.com ldap01-bne.prd.example.com ldap01-adl.prd.example.com
This way every host can be accessed via the service names, and I can *reuse* the certificate if I replace the host that one of the ldap01-<site> records points to.
Does this help you?
- xinhuan
From: William Brown wibrown@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Sent: Sunday, June 12, 2016 5:22 PM Subject: [389-users] Re: 389 directory server wildcard certificate On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server supports wildcard server certificate. Currently the subject for my instance is:
Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
When using wildcard, it will be:
Subject: "CN=*.christianbook.com,OU=389 Directory Server"
Yes.
Is it possible?
I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it?
No sorry. Wild cards cost a lot.
I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs.
So you make a cert with:
certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g 2048\ -s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \ -8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr
This certificate once signed would be useable with:
- nss.dev.example.com
- nss-alt.dev.example.com
There's no real limit to how many alternative names you can have, but it's a good idea to plan your deployment so you don't have to keep re-issuing these when you request more certs.
Remember, this still needs signing so you would need to send the .csr to your CA
I hope that helps you,
Thanks,
- xinhuan
-- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.or...
-- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.or...
389-users@lists.fedoraproject.org
-
William Brown -
xinhuan zheng