Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

SSL certificates on server

  • 10-05-2012 6:17pm
    #1
    Registered Users, Registered Users 2 Posts: 200 ✭✭


    Hi,

    I am trying to delve a little deeper into this topic by setting up my own CA and using it to sign certificates that I create.

    I understand that I can use the CA to sign a certificate each for Server1 and Server2, (then secure copy the files over to the respective servers). No issues here.

    What I want to acheive is to use my own CA to sign a number of different certificates for say Server1 only, for each individual server application (e.g. Apache, OpenLDAP, etc).

    I am not sure if this:
    a) can be done and
    b) should be done.

    Let's say I create the cert for Apache using the CN of Server1.mydomain.net, I cannot create a cert for use with OpenLDAP using the same CN. I could just use the one certificate per server, however, keeping with this example, OpenLDAP usually requires other options (such as tls_www_server, signingkey, etc), and I do not understand where I can place these options. I am sure that if I try to do the same thing for a third server application, then I will run into the same problems.

    I am using openssl for this process. I tried to use certtool also, but I think the problem is my understanding of the concept, rather than the commands.

    Any help or pointers appreciated. Specifically, what is considered best practice for a single server using SSL with multiple server applications.

    Regards,
    druidhill


Comments

  • Registered Users, Registered Users 2 Posts: 326 ✭✭schrodinger


    You can use the Organisational Unit to differentiate between services.

    OU=www

    OU=ldap

    OU=email

    You can keep the same common name and/or use certificates with multiple names.

    http://wiki.cacert.org/VhostTaskForce

    Multiple names in a certificate can be confusing and are more often used in web server situations rather than anywhere else™ :) You'll need to configure the openssl.cnf file to allow adding additional extensions/information to specific certificates/requests.


  • Registered Users, Registered Users 2 Posts: 200 ✭✭druidhill


    Thanks schrodinger, that worked great for me in terms of generating certificates. OpenLDAP is started but not working correctly now, but that's a seperate issue to the problem I described.

    Appreciate the help - was really struggling with this and any documentation I came across seemed to say the CN had to be unique.


  • Registered Users, Registered Users 2 Posts: 326 ✭✭schrodinger


    druidhill wrote: »
    Thanks schrodinger, that worked great for me in terms of generating certificates. OpenLDAP is started but not working correctly now, but that's a seperate issue to the problem I described.

    Appreciate the help - was really struggling with this and any documentation I came across seemed to say the CN had to be unique.

    Context is everything. Yes it does need to be unique but there's no reason why "druidhill.example.com" can't have a certificate for each of the following using "druidhill.example.com" as the CN.
    • smtp
    • www
    • pop3
    • imap
    • LDAP

    Yes, smtp. pop3 and imap can be combined into a simple "ou=mail" This is just an example. Or you could just simply have OU=services and use the same cert for all of them. It's up to your own choice / implementation. Everyone has varying opinions about The Best Way™

    Some references:

    * Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

    * Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework


Advertisement