We have two different ldap providers in two different physical office locations.
When I connect my laptop to one location and I 'retrieve from port' (in Websphere 6.1) to import the ssl cert of the ldap provider, I can authenticate to the respective ldap with no problems. If I take my laptop to the other office (that uses the other ldap provider by default) and I plugin my laptop, my WAS on my laptop will not start because it says 'no trusted ssl cert found'.
If I 'retrieve from port' again and re import the cert then it works again.
Note that my WAS always try to connect to one ldap, it simply has no use for the other one.
If I go back to the other office I get the same error until I reimport from that location. The ldap connection point is ldap.something.com:636 and is pingable in both locations with the same FQDN.
But when pinged it resolves to a different ip address in each office location. Why do I see that behavior?
Are SSL Certs somehow bound to a specific IP address?
If yes, then I need to maintain a different set of certs for each office location, right?
Note that, there is no way to adjust the dns servers to resolve the hostname to the same IP address, I checked.
Can someone provide some insight?
An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.domain.com". However, some organizations need an SSL certificate issued to a public IP address. This option allows you to specify a public IP address as the Common Name in your Certificate Signing Request (CSR).
Usually, both of them (your hosting provider and registrar) will offer SSL Certificates for sale. But first, ask your hosting provider if they support LetsEncrypt, which is a free way of generating a SSL certificate for your site.
Dedicated IP addresses used to be a necessity if you wanted to install an SSL certificate on your site. But, with changing technology it's no longer a requirement. Typically, if you are using a dedicated IP address this will be because you're using a dedicated web server.
It depends on the CA and the certificate license. To install the same certificate on multiple servers, first install the certificate files to the server where the CSR was originally generated. Then import the files (along with the private key) to the respective servers.
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't.
In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.
Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.
BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.
Most SSL certificates are bound to the hostname of the machine and not the ip address.
You might get a better answer if you ask this question on serverfault.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With