Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

SSL certificates on server

  • 10-05-2012 07:17PM
    #1
    Registered Users, Registered Users 2 Posts: 200 ✭✭


    Hi,

    I am trying to delve a little deeper into this topic by setting up my own CA and using it to sign certificates that I create.

    I understand that I can use the CA to sign a certificate each for Server1 and Server2, (then secure copy the files over to the respective servers). No issues here.

    What I want to acheive is to use my own CA to sign a number of different certificates for say Server1 only, for each individual server application (e.g. Apache, OpenLDAP, etc).

    I am not sure if this:
    a) can be done and
    b) should be done.

    Let's say I create the cert for Apache using the CN of Server1.mydomain.net, I cannot create a cert for use with OpenLDAP using the same CN. I could just use the one certificate per server, however, keeping with this example, OpenLDAP usually requires other options (such as tls_www_server, signingkey, etc), and I do not understand where I can place these options. I am sure that if I try to do the same thing for a third server application, then I will run into the same problems.

    I am using openssl for this process. I tried to use certtool also, but I think the problem is my understanding of the concept, rather than the commands.

    Any help or pointers appreciated. Specifically, what is considered best practice for a single server using SSL with multiple server applications.

    Regards,
    druidhill


Comments

  • Registered Users, Registered Users 2 Posts: 326 ✭✭schrodinger


    You can use the Organisational Unit to differentiate between services.

    OU=www

    OU=ldap

    OU=email

    You can keep the same common name and/or use certificates with multiple names.

    http://wiki.cacert.org/VhostTaskForce

    Multiple names in a certificate can be confusing and are more often used in web server situations rather than anywhere else™ :) You'll need to configure the openssl.cnf file to allow adding additional extensions/information to specific certificates/requests.


  • Registered Users, Registered Users 2 Posts: 200 ✭✭druidhill


    Thanks schrodinger, that worked great for me in terms of generating certificates. OpenLDAP is started but not working correctly now, but that's a seperate issue to the problem I described.

    Appreciate the help - was really struggling with this and any documentation I came across seemed to say the CN had to be unique.


  • Registered Users, Registered Users 2 Posts: 326 ✭✭schrodinger


    druidhill wrote: »
    Thanks schrodinger, that worked great for me in terms of generating certificates. OpenLDAP is started but not working correctly now, but that's a seperate issue to the problem I described.

    Appreciate the help - was really struggling with this and any documentation I came across seemed to say the CN had to be unique.

    Context is everything. Yes it does need to be unique but there's no reason why "druidhill.example.com" can't have a certificate for each of the following using "druidhill.example.com" as the CN.
    • smtp
    • www
    • pop3
    • imap
    • LDAP

    Yes, smtp. pop3 and imap can be combined into a simple "ou=mail" This is just an example. Or you could just simply have OU=services and use the same cert for all of them. It's up to your own choice / implementation. Everyone has varying opinions about The Best Way™

    Some references:

    * Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

    * Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework


Advertisement