[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: SSL certificates, kerberos keytabs, and load balancing [Virus checked]



>>Actually, I'm not. ;) We stopped using verisign and moved to
>> InstantSSL.  The problem there is they do not support subjectAltName
>> tags.  Do you
> know
>>a vendor that does?  For various reasons, I cannot use self-signed
>> certs
> on
>>our production servers, or I'd just go that route.
>
> Why would you use the self-signed certificates?
>
> 1) Self-signed certs aren't a particularly good solution security-wise
> 2) openLDAP software doesn't like them. (or maybe I've been doing
> something wrong at that time...)

Default behavior.  You can disable it, I don't remember how
but it's documented in the Admin Guide under TLS.

p.

> 3) Establishing an internal CA is not such a big deal.
>
> CAs are a matter of trust. In a company, I trust the "security" folks in
>  the IT, in the outside world I trust Verisign(*)...

Agree, although, if you have only one server and no IT department,
a self-signed is not too bad a choice.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it