SSL 证书是否绑定到服务器 IP 地址? [英] Are SSL certificates bound to the servers ip address?

问题描述

我们在两个不同的办公地点有两个不同的 ldap 提供程序.

We have two different ldap providers in two different physical office locations.

当我将笔记本电脑连接到一个位置并从端口检索"(在 Websphere 6.1 中)以导入 ldap 提供程序的 ssl 证书时，我可以毫无问题地对相应的 ldap 进行身份验证.如果我把我的笔记本电脑带到另一个办公室(默认情况下使用另一个 ldap 提供程序)并插入我的笔记本电脑，我的笔记本电脑上的 WAS 将无法启动，因为它显示未找到受信任的 ssl 证书".

When I connect my laptop to one location and I 'retrieve from port' (in Websphere 6.1) to import the ssl cert of the ldap provider, I can authenticate to the respective ldap with no problems. If I take my laptop to the other office (that uses the other ldap provider by default) and I plugin my laptop, my WAS on my laptop will not start because it says 'no trusted ssl cert found'.

如果我再次从端口检索"并重新导入证书，那么它会再次起作用.

If I 'retrieve from port' again and re import the cert then it works again.

请注意，我的 WAS 总是尝试连接到一个 ldap，它对另一个没有用处.

Note that my WAS always try to connect to one ldap, it simply has no use for the other one.

如果我回到另一个办公室，我会收到同样的错误，直到我从那个位置重新导入.ldap 连接点是 ldap.something.com:636，并且可以在具有相同 FQDN 的两个位置进行 ping.

If I go back to the other office I get the same error until I reimport from that location. The ldap connection point is ldap.something.com:636 and is pingable in both locations with the same FQDN.

但在 ping 时，它会解析为每个办公地点的不同 IP 地址.为什么我会看到这种行为?

But when pinged it resolves to a different ip address in each office location. Why do I see that behavior?

SSL 证书是否以某种方式绑定到特定 IP 地址?

Are SSL Certs somehow bound to a specific IP address?

如果是，那么我需要为每个办公地点维护一组不同的证书，对吧?

If yes, then I need to maintain a different set of certs for each office location, right?

请注意，没有办法调整 dns 服务器以将主机名解析为相同的 IP 地址，我检查了.

Note that, there is no way to adjust the dns servers to resolve the hostname to the same IP address, I checked.

有人可以提供一些见解吗?

Can someone provide some insight?

推荐答案

SSL 证书绑定到通用名"，通常是完全限定的域名，但也可以是通配符(例如 *.domain.com) 甚至是 IP 地址，但通常不是.

SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't.

在您的情况下，您通过主机名访问 LDAP 服务器，听起来您的两个 LDAP 服务器安装了不同的 SSL 证书.您是否可以查看(或下载并查看)SSL 证书的详细信息?每个 SSL 证书都有一个唯一的序列号和指纹，需要匹配.我认为证书被拒绝，因为这些详细信息与您的证书存储中的内容不匹配.

In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.

您的解决方案是确保两个 LDAP 服务器都安装了相同的 SSL 证书.

Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.

顺便说一句 - 您通常可以通过编辑本地主机"文件来覆盖工作站上的 DNS 条目，但我不建议这样做.

BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.

这篇关于SSL 证书是否绑定到服务器 IP 地址?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！