After the last post on the OpenLDAP trouble I had, I’ve continued trying new things with it and can confirm that wildcard domain certificates do succeed with OpenLDAP.
When creating the certificate request enter for eg *.example.com in the common name field and you can then use the one certificate on all servers that fall in that domain.
BIG WARNING! This is very dangerous if the keys are not secured properly. As if somebody compromises one key, they have compromised all of the services on all the machines that use the same key! So make sure you really want to do this, have the file permissions set correctly and are prepared for the consequences.
2 Comments
can you show me listing your config for openLDAP with wildcard sertificate?
Thanks=)
There’s no special configs to use a wildcard certificate. Just change the values of TLSCertificateFile and TLSCertificateKey to point to newly generated wildcard certificates instead of the older specific certificates.
Note that Wildcard TLS certs only became available as of OpenLDAP 2.2 according to this post: http://www.openldap.org/lists/openldap-software/200504/msg00304.html
In other words, any modern distribution should be fine.