Hi. We are in the process of renewing the certificates of our two 389DS servers which sync through multimaster replication. We are currently using a self-signed certificate shared between the two servers. Our topology is like this:
HAProxy : ldap.example.com for load balancing LDAP1 : ldap1.example.com LDAP2 : ldap2.example.com
Connections are made from clients to ldaps://ldap.example.com which sends requests to either ldap1 or ldap2 Following the 'SSL howto' [1] we would like to have separate 'real' certificates for the two servers. If I'm not wrong, the certificate signing requests should be created in each of the two 'real' servers for their real name and adding ldap.example.com as subjectaltname. Is that correct? If yes, then I have another question: having the two certificates it is not important which one clients use, is it? Thanks, Francesco
[1] http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
On Tue, 2018-02-20 at 16:00 +0100, Francesco Marchesi wrote:
Hi. We are in the process of renewing the certificates of our two 389DS servers which sync through multimaster replication. We are currently using a self-signed certificate shared between the two servers. Our topology is like this:
HAProxy : ldap.example.com for load balancing LDAP1 : ldap1.example.com LDAP2 : ldap2.example.com
Connections are made from clients to ldaps://ldap.example.com which sends requests to either ldap1 or ldap2 Following the 'SSL howto' [1] we would like to have separate 'real' certificates for the two servers. If I'm not wrong, the certificate signing requests should be created in each of the two 'real' servers for their real name and adding ldap.example.com as subjectaltname. Is that correct?
That is correct!
Today you actually need ldap.example.com AND ldap1.example.com in the subjectAltName, because that's the "definitive" field. I think the rule is "if a SAN is present use it for hostnames instead of CN in the subject".
If yes, then I have another question: having the two certificates it is not important which one clients use, is it?
No, because the clients trust the CA that issues the two certs, not the individual certs themselves.
Hope that helps!
Thanks, Francesco
[1] http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.htm l _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o rg
389-users@lists.fedoraproject.org