SSL certificates on server

druidhill

Hi,

I am trying to delve a little deeper into this topic by setting up my own CA and using it to sign certificates that I create.

I understand that I can use the CA to sign a certificate each for Server1 and Server2, (then secure copy the files over to the respective servers). No issues here.

What I want to acheive is to use my own CA to sign a number of different certificates for say Server1 only, for each individual server application (e.g. Apache, OpenLDAP, etc).

I am not sure if this:
a) can be done and
b) should be done.

Let's say I create the cert for Apache using the CN of Server1.mydomain.net, I cannot create a cert for use with OpenLDAP using the same CN. I could just use the one certificate per server, however, keeping with this example, OpenLDAP usually requires other options (such as tls_www_server, signingkey, etc), and I do not understand where I can place these options. I am sure that if I try to do the same thing for a third server application, then I will run into the same problems.

I am using openssl for this process. I tried to use certtool also, but I think the problem is my understanding of the concept, rather than the commands.

Any help or pointers appreciated. Specifically, what is considered best practice for a single server using SSL with multiple server applications.

Regards,
druidhill

schrodinger

You can use the Organisational Unit to differentiate between services.

OU=www

OU=ldap

OU=email

You can keep the same common name and/or use certificates with multiple names.

http://wiki.cacert.org/VhostTaskForce

Multiple names in a certificate can be confusing and are more often used in web server situations rather than anywhere else™ You'll need to configure the openssl.cnf file to allow adding additional extensions/information to specific certificates/requests.

druidhill

Thanks schrodinger, that worked great for me in terms of generating certificates. OpenLDAP is started but not working correctly now, but that's a seperate issue to the problem I described.

Appreciate the help - was really struggling with this and any documentation I came across seemed to say the CN had to be unique.

schrodinger

druidhill wrote: »

Thanks schrodinger, that worked great for me in terms of generating certificates. OpenLDAP is started but not working correctly now, but that's a seperate issue to the problem I described.

Appreciate the help - was really struggling with this and any documentation I came across seemed to say the CN had to be unique.

Context is everything. Yes it does need to be unique but there's no reason why "druidhill.example.com" can't have a certificate for each of the following using "druidhill.example.com" as the CN.

• smtp
• www
• pop3
• imap
• LDAP

Yes, smtp. pop3 and imap can be combined into a simple "ou=mail" This is just an example. Or you could just simply have OU=services and use the same cert for all of them. It's up to your own choice / implementation. Everyone has varying opinions about The Best Way™

Some references:

* Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

* Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework