[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Multiple TLS keys or single key?
Today at 5:09pm, Maarten Thibaut wrote:
> As the cn: part of an SSL key needs to contain the fully qualified domain
> name of the host, what about machines with >1 hostname?
You need to set up their certificate so they understand all their names
in (to the best of my knowledge) their one certificate.
> Should I use several keys on the same slapd server? Or should I create a
> key with >1 hostname in its cn list (I've heard that this is possible, but
> cannot find any documentation on this subject).
>
> If it _is_ possible to have > 1 host per key, how can it be done?
If you are using a single instance of slapd (not running a slapd for
each fqdn with different ports for each one), then I believe you are
limited to a single certificate. I have not found any globally
recognized certificate makers who will make you a certificate that will
keep the subjectAltName values. You would need to have a DNS:fqdn entry
for each of the hostnames (beyond the primary name of the machine) that
clients will use to contact your server.
> If we should use > 1 key per host, how should they be configured in
> slapd.conf? Should each of the keys be specified as a
> TLSCertificateKeyFile in slapd.conf?
I think it is not possible to do that. I believe (and if I'm wrong, I
hope someone will correct me) that you either have to generate a
certificate using subjectAltName keyword listing fqdn's 2 through n or
you need to run multiple instances of slapd each with its own config
file (thus able to have its own certificate/key) and not able to share
databases.
> Thanks for any help with this!
>
> maarten
>
--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All ===