Re: Antw: RE: N-Way multimaster Replication with TLS and multiple server certificates

Wednesday, 10 December 2014

Ulrich Windl wrote:
...
>>> Michael Ströder <michael(a)stroeder.com&gt; schrieb am
10.12.2014 um 09:44 in
 Nachricht <548807E4.5000108(a)stroeder.com&gt;:
> Ulrich Windl wrote:
>>> I use a cert with the VIP used by clients, and the hostnames used between
>>> the servers all setup in the subjectaltname of the certificate.
>>
>> But this "solution" does not scale well when adding or removing
servers...
>
> Why does it not scale?
>
> If you have an individual cert for each server with the VIP DNS name in
> subjectAltName you can just add servers as needed.

 The point is: If you change one server, you'll have to update certificates for
 all active servers; 
Nonsense. This will only be the case if you change the VIP's DNS name.

Or could you please tell us what's so hard to understand with "individual cert
for each server"?

...
 not to talk about that fact that all certificates will
 expire exactly at the same time. 
Uuuh... yes, there's work out there to be done.
So what's the real problem?

Ciao, Michael.

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007