duplicate existing ssl crenentials on another server ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On November 9, 2010 04:19:01 pm Gerrard Geldenhuis wrote:
> >________________________________________
> >From: 389-users-bounces at lists.fedoraproject.org
> > [389-users-bounces at lists.fedoraproject.org] on behalf of Daniel Maher
> > [dma+389users at witbe.net] Sent: 09 November 2010 16:06
> >To: 389-users at lists.fedoraproject.org
> >Subject: Re: duplicate existing ssl crenentials on another
> > server ?
> >
> >On 11/09/2010 04:27 PM, Gerrard Geldenhuis wrote:
> >> There is another document on the wiki which describes how to setup
> >> certificates for a vip.... that is similar to what you want to do. I
> >> can't find it at the moment but might be worth >trolling through the
> >> wiki again.
> >
> >Actually, the SSL howto has a section on VIPs (the only hit on a search,
> >in fact) :
> >http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
> >
> >I gave it a second read-through, and it would seem to indicate that alt
> >names can be IPs as well as hostnames (i thought it was only the latter
> >that was possible).
> >
> >It would therefore appear to be possible to create a certificate that
> >with a series of alt names - in my scenario, there would literally be
> >one hostname and two IP addresses.
> >
> >Has anybody on the list done something similar ?  Any advice ?  Should
> >this just work outright ?
> >
> >(p.s. Angel Bosch Mora - turns out you may have been right the first
> >time ! :) ).
>
> I have not done it before... good luck and may the force be with you. :-)
>
> In all seriousness I don't know, if you get it working then steps and
> pointers back to the list would be great.
>
> Regards

Subject Alt Names extensions are exactly what you're looking for.  Set the 
initial cert name to the actual fqdn of the box you're running on.  Then add 
all other hostnames,fqdns, and ips as Subject alt name extensions.

For example,  you have a 2 machine HA setup. ldap0.example.com (192.168.0.10) 
and ldap1.example.com(192.168.0.11) with a virtual address of 
ldap.example.com (192.168.0.12).

For ldap0,  you would set the initial cert as ldap0.example.com,  and then add 
the following as 
extenstions "ldap0,ldap.example.com,ldap,192.168.0.10,192.168.0.12"

Now when you try and do an encrypted query,  you can point to any of the 
following in you query ,  and not get a cert error.

ldap0.example.com
ldap0
ldap.example.com
ldap
192.168.0.10
192.168.0.12

Ryan Braun
Aviation and Defence Services Division 
Chief Information Officer Branch, Environment Canada
CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
E-Mail: Ryan.Braun at ec.gc.ca
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux