On 5/13/2014 10:12 AM, Elizabeth Jones wrote:
no need for wildcard certs… use the Subject Alt Name. Works fine. Been
doing it for years. certutil supports it as well.
/mrg
Thanks, this looks like it is what I need. I do have a question about this
though - we have a single url that we use that is on our GTM - the GTM
routes the request based on the IP address of the incoming request to a
specific data center. We have a single VIP IP address at each data center.
Should I include the base url and the VIP IP addresses for both data
centers, or just the base url that we are sending our requests to?
Typically certificate validation is done on the DNS host name not IP
address (although IP-based validation is possible).
Think of it like this : the client initiating the connection uses some
host name. It needs to see a server cert that includes that same host
name in order to declare the cert valid. Repeat this same thought
process for all clients connecting to all your servers (including any
clients that are not using the LB).
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
