> Date: Tue, 18 Sep 2007 08:39:55 -0600 > From: Richard Megginson <rmeggins at redhat.com> > Yes, very. > http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > <quote> > > NOTE - *Do not use cn=server-cert for your server certificate*. In step > 7 of the linked instructions, it says to use certutil .... -s > cn=server-cert - this will cause clients to fail to validate the cert. > Instead, you must use the fully qualified domain name of your server > host as the value of the cn attribute in the subject DN. For example, if > your directory server hostname is foo.example.com, use Also look at the constraints in RFC4513, section 3.1.3. Use subjectAltName extensions to get more flexibility here. > > ../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \ > -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt > > to generate your server cert. This is the minimum. You may wish to > provide your clients with more details about your server. For more > information, see RFC 1485 <http://www.ietf.org/rfc/rfc1485.txt>. You > could choose to specify the subject DN like this: > > ../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ... > > </quote> > > Note that this also means that if you use cn=foo.example.com, clients > must be able to resolve the server's IP address to "foo.example.com". If > you don't care/can't do this, then use TLS_REQCERT never in your > /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly > recommend you do not do this though. Agreed, bad idea. By the way, the OpenLDAP libraries never do a DNS lookup on the name you provide, so whether the name resolves or not doesn't matter. We expect the name passed in to exactly match the CN, or to match the subjectAltName. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
