These will be self-signed certs. Internally facing servers, approximately 120 to 200
client end-user machines, and 200 to 500 "other" servers.
We, that is my group, does not "own" the facilities domainname
); our ldap name is does not have the mit.edu
in its name -- long story.
From: Brian Reichert [mailto:firstname.lastname@example.org]
Sent: Tuesday, January 14, 2014 2:32 PM
To: Borresen, John - 0442 - MITLL
Cc: Quanah Gibson-Mount; openldap-technical(a)openldap.org
Subject: Re: N-Way-Multimaster Configuration
On Tue, Jan 14, 2014 at 02:22:53PM -0500, Borresen, John - 0442 - MITLL wrote:
Using TLS. To create the certificates, finding a lot of varying
ideas via google, what is the "best practice" to create certificates to where I
don't have to touch each client if a server goes down. Create a wildcard cert or use
the subjectAltName in the openssl.cnf file?
Is this a public-facing server, or strictly internally facing?
Will you be using an in-house CA?
I'm a fan of an in-house CA (note: note the same as a self-signed cert), and a
well-populated SAN list, possibly incorporating IP addresses as well.
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Surveillance Systems Group
244 Wood St
Lexington, MA 02420
Brian Reichert <reichert(a)numachi.com>
BSD admin/developer at large