SSL证书是否绑定到服务器的IP地址? [英] Are SSL certificates bound to the servers ip address?
问题描述
我们在两个不同的物理办公室位置拥有两个不同的ldap提供程序.
We have two different ldap providers in two different physical office locations.
当我将笔记本电脑连接到一个位置并且从端口检索"(在Websphere 6.1中)以导入ldap提供程序的ssl证书时,我可以毫无问题地对相应的ldap进行身份验证.如果我将笔记本电脑带到另一个办公室(默认情况下使用另一个ldap提供程序)并且插入了笔记本电脑,则笔记本电脑上的WAS将无法启动,因为它显示未找到受信任的ssl证书".
When I connect my laptop to one location and I 'retrieve from port' (in Websphere 6.1) to import the ssl cert of the ldap provider, I can authenticate to the respective ldap with no problems. If I take my laptop to the other office (that uses the other ldap provider by default) and I plugin my laptop, my WAS on my laptop will not start because it says 'no trusted ssl cert found'.
如果我再次从端口检索"并重新导入证书,那么它将再次起作用.
If I 'retrieve from port' again and re import the cert then it works again.
请注意,我的WAS始终尝试连接到一个ldap,而对另一个ldap根本没有用.
Note that my WAS always try to connect to one ldap, it simply has no use for the other one.
如果我回到另一个办公室,则会遇到相同的错误,直到我从该位置重新导入为止. ldap连接点是ldap.something.com:636,并且可以在两个位置使用相同的FQDN进行ping操作.
If I go back to the other office I get the same error until I reimport from that location. The ldap connection point is ldap.something.com:636 and is pingable in both locations with the same FQDN.
但是在ping时,它将解析为每个办公室位置中的不同IP地址.为什么我看到这种行为?
But when pinged it resolves to a different ip address in each office location. Why do I see that behavior?
SSL证书是否以某种方式绑定到特定的IP地址?
Are SSL Certs somehow bound to a specific IP address?
如果是,那么我需要为每个办公地点维护一套不同的证书,对吗?
If yes, then I need to maintain a different set of certs for each office location, right?
请注意,我检查后无法调整dns服务器以将主机名解析为相同的IP地址.
Note that, there is no way to adjust the dns servers to resolve the hostname to the same IP address, I checked.
有人可以提供一些见识吗?
Can someone provide some insight?
推荐答案
SSL证书绑定到公用名",该公用名通常是完全限定的域名,但可以是通配符名称(例如* .domain.com )甚至IP地址,但通常不是.
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't.
在您的情况下,您正在通过主机名访问LDAP服务器,这听起来像您的两个LDAP服务器安装了不同的SSL证书.您是否可以查看(或下载并查看)SSL证书的详细信息?每个SSL证书将具有唯一的序列号和指纹,需要进行匹配.我认为证书被拒绝了,因为这些详细信息与您的证书库中的信息不匹配.
In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.
您的解决方案是确保两个LDAP服务器都安装了相同的SSL证书.
Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.
顺便说一句-您通常可以通过编辑本地主机"文件来覆盖工作站上的DNS条目,但我不建议这样做.
BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.
这篇关于SSL证书是否绑定到服务器的IP地址?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
