Re: failover config: servers with same DNS address and TLS, subjectAltName extension
On Mon, Jul 23, 2007 at 01:51:19PM +0000, Emmanuel Dreyfus wrote:
In order to have this working, we need x509 certificate that have
the subjectAltName extension. This is not an OpenLDAP-specific problem,
but the information about how to do it seems difficult to find, hence,
here is the result of my experiments.
1) Creating a CSR
On the LDAP servers, we need to setup OpenSSL for generating the certificate
request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf:
req_extensions = v3_req
The, we need a [ v3_req ] section:
[ v3_req ]
basicConstraints = CA:FALSE
subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net"
I actually found that I could use the following:
[ dev_ldap ]
subjectAltName=DNS:ldap.example.com
basicConstraints=CA:FALSE
I then used 'srv1.example.net' as the CN for the certificate. The
OpenSSL libraries were quite happy with this; I can refer to the host as
ldap.example.com or srv1.example.com and certificate verification will
succeed.
Then, to sign, I use `openssl ca -extensions dev_ldap -in srv1.csr \
-out srv1.crt'.
This allowed me to use the 'dev_ldap' extension set only for my
development config while issuing all other certificates fell back to the
'v3_req' default configuration. It also seems cleaner to me to only
specify the actual alternate name in the AltName field.
It seems the subjectAltName has to be set in the config file. I found
no
way to have it prompted by the openssl command.
This was my experience too.
--
Chris Cowart
Lead Systems Administrator
Network & Infrastructure Services, RSSP-IT
UC Berkeley
Attachments:
- signature.asc (application/pgp-signature — 189 bytes)