On Thursday 20 September 2007 21:36, George Holbert wrote: Ok so I managed to create a new certificate using subjectAltName extenstions, and it works as advertised. I can run ldapsearchs on eastldap on both eastldap0. Now my question is for generating certs for the other servers. Now that I have the CA cert on eastldap0, I would assume I need to install the CA on each additional server. Can I just copy and paste the cacert.asc into the manage certificate wizard? Then I would generate new certs for each server. Now do I need to generate the certs all from eastldap0? or once the CA cert is installed on the rest of the boxes, am I able to generate the required certs on each box? Is it generally a good idea to keep all the cert creation in a central location? And for the clients, all they need is the one cacert.asc to be able to encrypt comms with each server? Thanks Ryan > > Each running FDS server instance will have just one SSL certificate. > If you want your server to identify with multiple names, you can either: > - Do a cert with subjectAltName extensions. > - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com). > > LDAP / SSL client support for these varies, so you will probably want to > test both ways and see what works with better with your clients. > If it works for you, the subjectAltName method is probably preferable, > because you can precisely list the valid names for your server. > > Also, consider keeping it simple and just doing certs with single names > (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'), > and installing that same cert on each server which should have that SSL > identity. This is actually a pretty common way to do it, though it will > limit your ability to make SSL connections to individual nodenames, like > eastldap0.test.com (as you noticed). > > Ryan Braun wrote: > > Hey guys, installed FDS on a couple debian servers this week and am > > liking it so far. I have a couple questions regarding SSL/TLS setup with > > servers setup for IP takeover type HA setup. Keep in mind I have some > > experience with the LDAP side of things, it's the ssl and all the > > different certs and whatnot that keeps me up at night. > > > > Essentially what I'm looking at is a 4 way multimaster setup, ending up > > with 2 HA pairs of servers. call them eastldap and westldap. I've > > implemented the east side in my test lab and have it replicating and can > > pull any user info I need off the directory no problem. > > > > so > > eastldap0.test.com ip 192.168.0.11 > > eastldap1.test.com ip 192.168.0.12 > > and the virtual interface on whichever machine is master would be > > eastldap.test.com ip 192.168.0.10 > > > > and then the exact same setup with the last 2 > > > > westldap0.test.com ip 192.168.1.11 > > westldap1.test.com ip 192.168.1.12 > > westldap.test.com ip 192.168.1.10 > > > > Once everything is setup and running clients would be primarily only > > connecting to either virtual interface west/eastldap using TLS over port > > 389 and the 4 masters replicating with encryption (not sure but I imagine > > this takes place on ldaps port). > > > > I followed the instructions on the howto:ssl page and created a cert > > located on eastldap0. But instead of using the eastldap0.test.com as the > > cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0 > > was the HA master and restarted fds. > > > > When I copied over the cacert to a linux client, I can run searches > > using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs > > confirm everything is coming back encrypted. It seems to be behaving as > > expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with > > error 11 additional info: TLS: hostname does not match CN in peer > > certificate, which is right as the name in the cert is > > eastldap.test.com. > > > > So it would appear I'm on my way, I just am not sure about what certs I > > need now, and how to add them properly. I would think I need at the very > > least > > > > eastldap0 > > - eastldap0.test.com cert > > - eastldap.test.com cert > > eastldap1 > > - eastldap1.test.com cert > > - eastldap.test.com cert > > westldap0 > > - westldap0.test.com cert > > - westldap.test.com cert > > westldap1 > > - westldap1.test.com cert > > - westldap.test.com cert > > > > I'm just not sure if that is the proper way to go about it. Also, I > > would like to have the clients to be able to have all the cacerts to be > > able to communicate with all virtual and physical address' if need be. > > Later on, I would be adding probably 5 or 6 consumer read only replicas > > inbetween the suppliers and the clients, but one must walk before they > > run I guess :) > > > > Long post I know, just trying to make sure I get all the important stuff > > out there. Be kind if I was using the incorrect terminology for the > > certs/cacerts :) > > > > Ryan > > > > PS. anyone have a good SSL for dummies reference that lays out what the > > heck is going on with SSL (pems,keys,certs,cacerts etc) > > > > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
