2013/10/21 Howard Chu <hyc@symas.com>

lejeczek wrote:

that was me, the way I tried to sing certificate were...
incorrect

apologies and great and many thanks to everybody

I can now ldapsearch on both slapd.domain.local and
slap.domain.external with -ZZZ, all good (only cannot
confirm if CN has to be repeated in subjectAltName as per
Olo's tip, currently it IS repeatedin my cert)

No. The CN does not need to be repeated, anyone who says so is wrong. Other libraries (e.g. old Solaris/Sun/Mozilla LDAP) may have required this but they are defective and obsolete. The Mozilla LDAP SDK has been abandoned, and Solaris 11 now bundles OpenLDAP.

The CN has to be repeated. Newer libraries ignore anything contained in the CN if the SAN is populated. Antique PKI usages use CN to store FQDN and/or IP adresses (which is bad in itself), and this can't work with NameConstraints.

See RFC2830 (section 3.6) and RFC4513 (section 3.1.3) for LDAP, see RFC2818 (section 3.1) for HTTP, see RFC6125 for a broader view. Then see browsers root programs and CABForum Baseline Requirements (sections 9.2.1 and 9.2.2) for rules applied to public CAs (and reflected in the corresponding TLS toolkits).

--
Erwann.