Sunday, June 12, 2016

[389-users] Re: 389 directory server wildcard certificate

On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
> I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server
> supports wildcard server certificate. Currently the subject for my instance is:
>
> Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
>
> When using wildcard, it will be:
>
> Subject: "CN=*.christianbook.com,OU=389 Directory Server"

Yes.

>
> Is it possible?
>
> I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it?

No sorry. Wild cards cost a lot.


I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs.

So you make a cert with:

certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g 2048\
-s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \
-8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr

This certificate once signed would be useable with:

* nss.dev.example.com
* nss-alt.dev.example.com

There's no real limit to how many alternative names you can have, but it's a good idea to plan your deployment so you don't have
to keep re-issuing these when you request more certs.

Remember, this still needs signing so you would need to send the .csr to your CA


I hope that helps you,

>
> Thanks,
> - xinhuan
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

--
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

No comments:

Post a Comment