Hi,

I'm trying to figure out the best way to create certificates for LDAPS on servers that replicate to each other. I'm not huge on PKI knowledge, so I'm not exactly sure if what I have is correct.

I have two openldap servers that essentially look like this:

serverA (provider) ----> serverB (consumer)

serverA, serverB and all clients have "URI ldaps://serverA ldaps://serverB" in ldap.conf.

I'm trying to make sure all clients can query both serverA and serverB via LDAPS - without extensive re-configuration of ldap.conf should serverA fail. In otherwords, I want the clients to just work, so it doesn't distract the Admin's from fixing serverA.

I figured the best way to do this would be to create a single private key on serverA, and from that create certificates for serverA, serverB and any other client. serverB get's a copy of the single private key, just in case.

serverA:
olcTLSCACertificateFile: /path/to/certificate-authority.crt
olcTLSCertificateKeyFile: /path/to/shared-key.key
olcTLSCertificateFile: /path/to/serverA-certificate.crt
ldap.conf: TLS_CACERT /path/to/certificate-authority.crt

serverB:
olcTLSCACertificateFile: /path/to/certificate-authority.crt
olcTLSCertificateKeyFile: /path/to/shared-key.key
olcTLSCertificateFile: /path/to/serverB-certificate.crt
ldap.conf: TLS_CACERT /path/to/certificate-authority.crt

Does this look correct, given that syncrepl needs to occur between serverA+serverB during normal operation, but LDAPS needs to function correctly between serverB+clients when serverA has failed?

Thanks in advance,

Bob.