> Date: Tue, 04 Apr 2006 11:30:30 -0700 > From: "George Holbert" <gholbert at broadcom.com> > > >> Does Directory Server support the subjectAltName extension on SSL certs? >> >> > > Yes, the NSS toolkit which Directory Server uses can handle these certs. > > The next question is, do your SSL-enabled LDAP clients support these certs? > I need to support both Solaris and RedHat Linux LDAP name service > clients (i.e., passwd, group, automount, etc.). I've found that: > - Solaris clients can handle wildcard certs. RHEL 3 clients can't. > - RHEL 3 clients can handle subjectAltName certs. Solaris clients can't. > > So, while the server can present either of these cert types, your > clients' limitations will also influence how you sign your certs. > > Someone should file a bug report with Sun then, since LDAP RFC2830 defines support for subjectAltName and not for wildcard certs. The LDAPbis specifications will be pretty much the same here. I.e., Sun's LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, which are fully LDAPv3 compliant. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
