Hi. We are in the process of renewing the certificates of our two 389DS servers which sync through multimaster replication. We are currently using a self-signed certificate shared between the two servers. Our topology is like this: HAProxy : ldap.example.com for load balancing LDAP1 : ldap1.example.com LDAP2 : ldap2.example.com Connections are made from clients to ldaps://ldap.example.com which sends requests to either ldap1 or ldap2 Following the 'SSL howto' [1] we would like to have separate 'real' certificates for the two servers. If I'm not wrong, the certificate signing requests should be created in each of the two 'real' servers for their real name and adding ldap.example.com as subjectaltname. Is that correct? If yes, then I have another question: having the two certificates it is not important which one clients use, is it? Thanks, Francesco [1] http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
