These will be self-signed certs. Internally facing servers, approximately 120 to 200 client end-user machines, and 200 to 500 "other" servers.
We, that is my group, does not "own" the facilities domainname (llan.ll.mit.edu); our ldap name is does not have the mit.edu in its name -- long story. -----Original Message----- From: Brian Reichert [mailto:reich...@numachi.com] Sent: Tuesday, January 14, 2014 2:32 PM To: Borresen, John - 0442 - MITLL Cc: Quanah Gibson-Mount; openldap-technical@openldap.org Subject: Re: N-Way-Multimaster Configuration On Tue, Jan 14, 2014 at 02:22:53PM -0500, Borresen, John - 0442 - MITLL wrote: > Using TLS. To create the certificates, finding a lot of varying ideas via > google, what is the "best practice" to create certificates to where I don't > have to touch each client if a server goes down. Create a wildcard cert or > use the subjectAltName in the openssl.cnf file? Is this a public-facing server, or strictly internally facing? Will you be using an in-house CA? I'm a fan of an in-house CA (note: note the same as a self-signed cert), and a well-populated SAN list, possibly incorporating IP addresses as well. > John D. Borresen (Dave) > Linux/Unix Systems Administrator > MIT Lincoln Laboratory > Surveillance Systems Group > 244 Wood St > Lexington, MA 02420 > Email: john.borre...@ll.mit.edu<mailto:john.borre...@ll.mit.edu> -- Brian Reichert <reich...@numachi.com> BSD admin/developer at large