Date: Tue, 18 Sep 2007 08:39:55 -0600
From: Richard Megginson <rmeggins@xxxxxxxxxx>
Yes, very.
http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
<quote>
NOTE - *Do not use cn=server-cert for your server certificate*. In step
7 of the linked instructions, it says to use certutil .... -s
cn=server-cert - this will cause clients to fail to validate the cert.
Instead, you must use the fully qualified domain name of your server
host as the value of the cn attribute in the subject DN. For example, if
your directory server hostname is foo.example.com, use
Also look at the constraints in RFC4513, section 3.1.3. Use subjectAltName
extensions to get more flexibility here.
../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \
-t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt
to generate your server cert. This is the minimum. You may wish to
provide your clients with more details about your server. For more
information, see RFC 1485 <http://www.ietf.org/rfc/rfc1485.txt>. You
could choose to specify the subject DN like this:
../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ...
</quote>
Note that this also means that if you use cn=foo.example.com, clients
must be able to resolve the server's IP address to "foo.example.com". If
you don't care/can't do this, then use TLS_REQCERT never in your
/etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly
recommend you do not do this though.
Agreed, bad idea. By the way, the OpenLDAP libraries never do a DNS lookup on
the name you provide, so whether the name resolves or not doesn't matter. We
expect the name passed in to exactly match the CN, or to match the subjectAltName.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
