On Mon, 2016-06-13 at 16:15 +0000, xinhuan zheng wrote: > Hello William, > Thanks for your valuable information. For SubjectAlternativeNames, the alternative names you have shown in the example > contains '-' symbol, like 'nss-alt.dev.example.com'. Is '-' symbol required in the server's hostname? Since we don't use that > hostname naming convention. We use something like 'nssdev1.example.com', 'nssdev2.example.com'. It's not required, it just how I do my naming. I personally use: <service>.domain.tld -> CNAME to the instance OR load balancer A/ AAAA <inst>-<location>.<class>.domain.tld -> CNAME to the server <hostname>.class.domain.tld -> The server For example. ldap.example.com CNAME ldap01-bne.prd.example.com ldap01-bne.prd.example.com CNAME mai.prd.example.com ldap01-adl.prd.example.com CNAME kag.prd.example.com mai.prd.example.com A 172.24.0.1 kag.prd.example.com A 172.25.0.1 You can use whatever you like though :) Any valid DNS name can be a subjectAlternativeName. > So if I purchase 'nssdev.example.com' SubjectAlternativeNames, would it work for 'nssdev1.example.com' and > 'nssdev2.example.com'? No. You need to list *every* name on the cert. So for you, I would advise you have: ldap.example.com ldap01.example.com ldap02.example.com ldap03.example.com ... as needed. But you can have many names, so there is no issue here. For my previous example, I would have as subject alternative names: ldap.example.com ldap01-bne.prd.example.com ldap01-adl.prd.example.com This way every host can be accessed via the service names, and I can *reuse* the certificate if I replace the host that one of the ldap01-<site> records points to. Does this help you? > - xinhuan > From: William Brown <wibrown@xxxxxxxxxx> > To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Sunday, June 12, 2016 5:22 PM > Subject: [389-users] Re: 389 directory server wildcard certificate > > On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote: > > > > I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server > > supports wildcard server certificate. Currently the subject for my instance is: > > > > Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server" > > > > When using wildcard, it will be: > > > > Subject: "CN=*.christianbook.com,OU=389 Directory Server" > Yes. > > > > > > > Is it possible? > > > > I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it? > No sorry. Wild cards cost a lot. > > > I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs. > > So you make a cert with: > > certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g 2048\ > -s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \ > -8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr > > This certificate once signed would be useable with: > > * nss.dev.example.com > * nss-alt.dev.example.com > > There's no real limit to how many alternative names you can have, but it's a good idea to plan your deployment so you don't > have > to keep re-issuing these when you request more certs. > > Remember, this still needs signing so you would need to send the .csr to your CA > > > I hope that helps you, > > > > > > > Thanks, > > - xinhuan > > -- > > 389-users mailing list > > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > > https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx > -- > 389-users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
