On Tue, 2018-02-20 at 16:00 +0100, Francesco Marchesi wrote:
Hi.
We are in the process of renewing the certificates of our two 389DS
servers which sync through multimaster replication.
We are currently using a self-signed certificate shared between the
two
servers.
Our topology is like this:
HAProxy :
ldap.example.com for load balancing
LDAP1 :
ldap1.example.com
LDAP2 :
ldap2.example.com
Connections are made from clients to
ldaps://ldap.example.com which
sends requests to either ldap1 or ldap2
Following the 'SSL howto' [1] we would like to have separate 'real'
certificates for the two servers.
If I'm not wrong, the certificate signing requests should be created
in
each of the two 'real' servers for their real name and adding
ldap.example.com as subjectaltname.
Is that correct?
That is correct!
Today you actually need
ldap.example.com AND
ldap1.example.com in the
subjectAltName, because that's the "definitive" field. I think the rule
is "if a SAN is present use it for hostnames instead of CN in the
subject".
If yes, then I have another question: having the two certificates it
is
not important which one clients use, is it?
No, because the clients trust the CA that issues the two certs, not the
individual certs themselves.
Hope that helps!
Thanks,
Francesco
[1]
http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.htm
l
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.o
rg
--
Thanks,
William Brown