Hi All,
I just thought I’d update this thread to report that we now have two sets of hosts that are accessed via DNS aliases and have certificates with the subject being the main hostname and a subjectAltName of the DNS alias and both appear to be working fine. The services we are running behind the aliases are argus and xrootd.
Yours,
Chris.
On 02/11/2015, 10:33, "Testbed Support for GridPP member institutes on behalf of Jensen, Jens (STFC,RAL,SC)" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>Yes, it's a good point, Ewan and Andrew. While sharing keys is not
>allowed it is sharing keys between /different entities/ that is not
>allowed (and even then it's only the active key; i.e. the key is allowed
>to be in backup, in a key store (maybe even in escrow, I can't remember)).
>
>So while I still think it is not best practice to share the same private
>key across hosts, I also don't think it is a reason for revocation if
>you do - after all, the "hosts" in this case all have the same name. My
>feeling is it's more like one of those RFC2119 SHOULD NOTs, i.e. you can
>do it if you understand and accept the consequences of doing it.
>
>Thanks for the comments/thoughts.
>
>-j
>
>On 02/11/2015 09:02, Andrew Sansum wrote:
>> Ewan's comment seems so reasonable I couldn't resit reading the CA policy document. For amusement from the CA policy:
>>
>> DNS - a DNS name identifying a host (physical or virtual) should use the . The DNS name need not resolve, but should be in a DNS namespace controlled by the Subscriber, as per (3.1). Multiple DNS names may be present if they are associated with the same End Entity. IP { IP addresses in certi?cates may be used.
>>
>> "For host certicates, the CN must either be A syntactically valid DNS name (the validity check that used to be RFC 1034), but need not actually resolve in DNS. A wildcard DNS name. In this case, the wildcard uses a '*' character and
>> must be the first component of the name, or a part of the first component of the name."
>>
>> All very vague really. Doesn't seem to say much about what a "host" is - maybe a "host" could be three machines sharing a common CNAM :) ?
>>
>> Of course in the end it depends how the middleware stack implements the above set of checks - irrespective of what is written in the CP/CPS.
>>
>> Andrew
>> ________________________________________
>> From: Testbed Support for GridPP member institutes [[log in to unmask]] on behalf of Ewan MacMahon [[log in to unmask]]
>> Sent: Friday, October 30, 2015 4:08 PM
>> To: [log in to unmask]
>> Subject: Re: Fwd: Minutes from the WLCG Ops Coord meeting of 22-OCT-2015
>>
>>> -----Original Message-----
>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>> [log in to unmask]] On Behalf Of Jensen, Jens (STFC,RAL,SC)
>>>
>>> (a) get a certificate for the advertised name and share it across the
>>> servers
>>>
>>> Now (a) is a bad idea; it is against the rules of the CA (sharing keys)
>>> and what happens if you need to revoke it. So don't do that.
>> Wait, what? That doesn't seem right - if you've got a thing that's a singular thing (say, a service) that just happens to be implemented by more than one machine under the same administration, then it's not really sharing the key, and if you need to revoke the service's certificate it gets revoked once and equally affects all the machines behind the service, which sounds just fine to me.
>>
>> What rule is this against, and what does the rule actually say?
>>
>> Ewan
|