On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
> I need to deploy multiple 389 directory server instances into production environment. I want to know if 389 directory server
> supports wildcard server certificate. Currently the subject for my instance is:
>
> Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
>
> When using wildcard, it will be:
>
> Subject: "CN=*.christianbook.com,OU=389 Directory Server"
Yes.
>
> Is it possible?
>
> I guess GoDaddy might be able to support wildcard certificate but I am not sure. Does anyone know about it?
No sorry. Wild cards cost a lot.
I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs.
So you make a cert with:
certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g 2048\
-s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \
-8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr
This certificate once signed would be useable with:
* nss.dev.example.com
* nss-alt.dev.example.com
There's no real limit to how many alternative names you can have, but it's a good idea to plan your deployment so you don't have
to keep re-issuing these when you request more certs.
Remember, this still needs signing so you would need to send the .csr to your CA
I hope that helps you,
>
> Thanks,
> - xinhuan
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment