OpenLDAP TLS with wildcard domain certs

After the last post on the OpenLDAP trouble I had, I’ve continued trying new things with it and can confirm that wildcard domain certificates do succeed with OpenLDAP.

When creating the certificate request enter for eg *.example.com in the common name field and you can then use the one certificate on all servers that fall in that domain.

BIG WARNING! This is very dangerous if the keys are not secured properly. As if somebody compromises one key, they have compromised all of the services on all the machines that use the same key! So make sure you really want to do this, have the file permissions set correctly and are prepared for the consequences.

This entry was posted in Server, Ubuntu and tagged , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

2 Comments

  1. espeto
    September 16, 2009 5:38 pm

    can you show me listing your config for openLDAP with wildcard sertificate?

    Thanks=)

  2. P0tato
    October 6, 2011 2:34 am

    There’s no special configs to use a wildcard certificate. Just change the values of TLSCertificateFile and TLSCertificateKey to point to newly generated wildcard certificates instead of the older specific certificates.

    Note that Wildcard TLS certs only became available as of OpenLDAP 2.2 according to this post: http://www.openldap.org/lists/openldap-software/200504/msg00304.html

    In other words, any modern distribution should be fine.