On Mon, 2016-06-13 at 16:15 +0000, xinhuan zheng wrote:
Thanks for your valuable information. For SubjectAlternativeNames, the alternative names
you have shown in the example
contains '-' symbol, like 'nss-alt.dev.example.com'. Is '-'
symbol required in the server's hostname? Since we don't use that
hostname naming convention. We use something like 'nssdev1.example.com',
It's not required, it just how I do my naming.
I personally use:
<service>.domain.tld -> CNAME to the instance OR load balancer A/ AAAA
<inst>-<location>.<class>.domain.tld -> CNAME to the server
<hostname>.class.domain.tld -> The server
You can use whatever you like though :) Any valid DNS name can be a
So if I purchase 'nssdev.example.com'
SubjectAlternativeNames, would it work for 'nssdev1.example.com' and
You need to list *every* name on the cert.
So for you, I would advise you have:
... as needed.
But you can have many names, so there is no issue here.
For my previous example, I would have as subject alternative names:
This way every host can be accessed via the service names, and I can *reuse* the
certificate if I replace the host that one of the ldap01-<site> records points to.
Does this help you?
From: William Brown <wibrown(a)redhat.com>
To: General discussion list for the 389 Directory server project.
Sent: Sunday, June 12, 2016 5:22 PM
Subject: [389-users] Re: 389 directory server wildcard certificate
On Sun, 2016-06-12 at 16:39 +0000, xinhuan zheng wrote:
> I need to deploy multiple 389 directory server instances into production
environment. I want to know if 389 directory server
> supports wildcard server certificate. Currently the subject for my instance is:
> Subject: "CN=dmdev1.christianbook.com,OU=389 Directory Server"
> When using wildcard, it will be:
> Subject: "CN=*.christianbook.com,OU=389 Directory Server"
> Is it possible?
> I guess GoDaddy might be able to support wildcard certificate but I am not sure.
Does anyone know about it?
No sorry. Wild cards cost a lot.
I would recommend a better approach. NSS supports SAN (SubjectAltenativeNames) on certs.
So you make a cert with:
certutil -R -f pwdfile.txt -d . -t "C,," -x -n "Server-Cert" -g
-s "CN=nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU" \
-8 "nss.dev.example.com,nss-alt.dev.example.com" -o nss.dev.example.com.csr
This certificate once signed would be useable with:
There's no real limit to how many alternative names you can have, but it's a good
idea to plan your deployment so you don't
to keep re-issuing these when you request more certs.
Remember, this still needs signing so you would need to send the .csr to your CA
I hope that helps you,
> - xinhuan
> 389-users mailing list
389-users mailing list
Red Hat, Brisbane