SSL 证书是否绑定到服务器的 IP 地址？

我们有两个不同的 ldap 供应商在两个不同的物理办公地点。

当我将我的膝上型电脑连接到一个位置并从端口(在 WebSphere 6.1中)检索以导入 ldap 提供程序的 SSL 证书时，我可以毫无问题地对相应的 ldap 进行身份验证。如果我把我的笔记本电脑带到另一个办公室(默认情况下使用另一个 ldap 提供商)并且插入我的笔记本电脑，我笔记本电脑上的 WAS 将不会启动，因为它说“没有找到可信的 SSL 证书”。

如果我’检索从端口’再次和重新导入证书，然后它再次工作。

请注意，我的 WAS 总是尝试连接到一个 ldap，它对另一个 ldap 没有任何用处。

如果我回到另一个办公室，我得到相同的错误，直到我从该位置重新导入。Ldap 连接点是 ldap.example.com:636，在具有相同 FQDN 的两个位置都可以 pingable。

但是当 ping 时，它会在每个办公地点解析到一个不同的 IP 地址。为什么我会看到这种行为？

SSL 证书是否以某种方式绑定到特定的 IP 地址？

如果是，那么我需要为每个办公地点维护一组不同的证书，对吗？

注意，我检查过，没有办法调整 DNS 服务器将主机名解析为相同的 IP 地址。

有人能提供一些见解吗？

164087

小开

Most SSL certificates are bound to the hostname of the machine and not the IP address.

小开

The SSL certificates are going to be bound to hostname rather than IP if they are setup in the standard way. Hence why it works at one site rather than the other.

Even if the servers share the same hostname they may well have two different certificates and hence WebSphere will have a certificate trust issue as it won't be able to recognise the certificate on the second server as it is different to the first.

小开

最佳答案

SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.example.com) or even an IP address, but it usually isn't.

In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.

Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.

BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.