Ulrich Windl wrote:
Michael Ströder michael@stroeder.com schrieb am 10.12.2014 um 09:44 in
Nachricht 548807E4.5000108@stroeder.com:
Ulrich Windl wrote:
I use a cert with the VIP used by clients, and the hostnames used between the servers all setup in the subjectaltname of the certificate.
But this "solution" does not scale well when adding or removing servers...
Why does it not scale?
If you have an individual cert for each server with the VIP DNS name in subjectAltName you can just add servers as needed.
The point is: If you change one server, you'll have to update certificates for all active servers;
Nonsense. This will only be the case if you change the VIP's DNS name.
Or could you please tell us what's so hard to understand with "individual cert for each server"?
not to talk about that fact that all certificates will expire exactly at the same time.
Uuuh... yes, there's work out there to be done. So what's the real problem?
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder