[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and wildcard SSL certs

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP and wildcard SSL certs
From: Mike Wisener <mwisener@lurhq.com>
Date: Thu, 14 Apr 2005 12:49:53 -0400
Content-disposition: inline
In-reply-to: <20050414155932.GG8349@bethel.edu>
Organization: LURHQ
References: <20050414143213.GT754@bethel.edu> <200504141133.16070.mwisener@lurhq.com> <20050414155932.GG8349@bethel.edu>
User-agent: KMail/1.6.2

On Thursday 14 April 2005 11:59, you wrote:
> Thanks for the feedback:
>
> On Thu, Apr 14, 2005 at 11:33:16AM -0400, Mike Wisener wrote:
> > Did you verify the subjectAltName was actually added on your signed
> > certificate? openssl x509 -in <cert> -text
>
> Yes, I did.
>
> > As far as I know, CN should be the fully qualified domain
> > name. subjectAltName should have the wildcard.
>
> But that defeats the whole purpose. Then you'd have to have one cert.
> for each FQDN and then what's the point of using a wildcard at all?
> Or am I misunderstanding what you're saying?

If the hostname you use in ldap://<hostname> matches the CN -- you are good. 

If not, and subjectAltName is present, then <hostname> should be compared to 
values in subjectAltName. 

This is my understanding and as far as I can tell, it works in practice. If 
someone knows there is another way this works, hopefully they will jump in.

Regards,

- Mike

-- 
Mike Wisener, GCIA
Senior Information Security Analyst
LURHQ -- http://www.lurhq.com
mwisener@lurhq.com

References:
- OpenLDAP and wildcard SSL certs
  - From: "Brent J. Nordquist" <b-nordquist@bethel.edu>
- Re: OpenLDAP and wildcard SSL certs
  - From: Mike Wisener <mwisener@lurhq.com>
- Re: OpenLDAP and wildcard SSL certs
  - From: "Brent J. Nordquist" <b-nordquist@bethel.edu>

Prev by Date: Re: OpenLDAP and wildcard SSL certs
Next by Date: openldap tuning, too many open file descriptors
Index(es):
- Chronological
- Thread