On Tue, Jan 14, 2014 at 03:09:43PM -0500, Borresen, John - 0442 - MITLL wrote:
These will be self-signed certs. Internally facing servers, approximately 120 to 200 client end-user machines, and 200 to 500 "other" servers.
We, that is my group, does not "own" the facilities domainname (llan.ll.mit.edu); our ldap name is does not have the mit.edu in its name -- long story.
Do you mean that you'll be accessing these hosts using non-fully qualified hostnames? (e.g. 'server1.llan.ll' or 'server1' ?) If so, you can put these names in the SAN list. You can put IPs in there, too, but MS wants special treatment for that...
Really, though, as you're doing this all privately, you need to consider:
- How often would the membership of your cluster change (adding/removing hosts)?
- How are you distributing the trust of the signer? One CA means your clients only need to be told once about the signer, and self-signed means your clients needs to be told about each cert. (Well, each signer, but sounds like it's implicitly fluid, given the prior question.)
If - cluster membership will change - you don't want to touch each client when that happens - you're using non-fully qualified hostnames
The I think you'll benefit from a CA, rather than self-signed certificates.
That doesn't address wildcard vs a SAN list. Can you forecast that the current and future hostnames for your cluster will always be expressible as a wildcard? If not, consider a SAN list.