Re: multiple server certificates

[Howard Chu <hyc@symas.com>]

Quanah Gibson-Mount wrote:
> --On Tuesday, April 29, 2008 2:57 PM -0700 Howard Chu<hyc@symas.com>  wrote:
> > I'm also skeptical about the motivation for this discussion. If you have
> > separate certs from separate CAs, then you really have distinct security
> > domains so I don't understand why you need them to share databases. You
> > might as well just run separate slapds.
>
> Multiple addresses from different domains on a given interface come to
> mind, where the database is particularly large, so you don't want to have
> multiple slapd's taking up the resources.  That way each address could be
> secured via SSL, but access the same DB with a single slapd.  Say, for
> example, x.google.org and y.google.com.

You can only have one listener per interface, so none of those considerations 
are relevant.

Again, if you're really serving multiple distinct security domains, then I 
don't see what data would be shared between them. It would be poor security 
practice to have them sharing anything.

This is the real question - why are you using server certs from different CAs? 
It seems Hallvard will have to answer that, since he posed the original question.

If it were just about mapping multiple DNS names to the same server, you 
wouldn't need to involve multiple CAs. You would just use a single cert, with 
multiple subjectAltNames. The use of different CAs means you have totally 
different administrative realms, different political authorities, and 
different policies. It is extremely unlikely that two different administrative 
bodies with different policies would jointly administer the same database.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/