[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: SSL/TLS certificate issues
From:       Michael_Ströder <michael () stroeder ! com>
Date:       2007-02-28 7:02:52
Message-ID: 45E5291C.7010101 () stroeder ! com
[Download RAW message or body]

Magnus Morén wrote:
> Michael Ströder wrote:
> > Magnus Morén wrote:
> > > 2)  What is the "best practice" here? Try to get Verisign to include
> > > subjectaltname OR 
> > 
> > A CA is free to issue certs based on their policy which also contains a
> > cert profile (including the extensions). One might suspect that
> > subjectAltName might be regarded as extension causing harm to the
> > pay-per-DNS-name business of Verisign...
> 
> True.
> 
> Does anybody knows about another CA (other than Verisign) that can
> include subjectAltName ?

Unlikey. Since commercial CAs charge per DNS name you will at least have
to pay per DNS name. Maybe you could talk to the cacert.org people?

> > Do you benefit in any way of the pre-installed CA certs of Verisign? If
> > no, run your own CA.
> 
> The benefit of using a pre-installed CA cert is the fact that I do not
> need to install my own CA in all client systems.

This depends on the LDAP clients used. Mozilla, Outlook or such?

> We are in the position right now where we can choose to do either way,
> but we want to choose "the best way".

Nobody can suggest the "the best way". This depends on client software,
support processes, security requirements...

> > And why not simply install the same cert and key pair on all your
> > replicas? Are the hostnames xyz1.hh.se or xyz2.hh.se also directly used
> > with SSL/TLS (e.g. for replication)?
> [..]
> My concern with this "use the same cert and key pair on all your
> replicas" is the following text from the installation documentation of
> our LDAP server software:
> 
> "SYMAS , Installation Guidelines and General Information for Connexitor
> Directory Services Version 3"
> 
> "The only field where an answer is prescribed is the Common Name
> (CN) field. For this field you MUST enter the fully qualified dns name
> of the machine on which the CDS server (slapd) will be running. Note
> that this name must match what the reverse DNS lookup will return, so a
> made-up DNS name will not work."

Hmm, does Symas also give a reference to a RFC why? I don't have the
current RFC for TLS at hand right now. None of the installations I know
of uses certs where the CN matches the DNS PTR record of the IP address
of the server.

Ciao, Michael.


---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]