On Mon, 27 Oct 2003, Tony Finch wrote:
> >Can I request that support for multiple certificates be added to the
> >wish list please?
>
> I do this:
>
> CERTS = /opt/dist/certs
>
> tls_certificate = CERTS/server/${lookup{$interface_address} \
> cdb{DB/ipaddr2name.cdb}}
>
> The ipaddr2name table contains entries like
>
> 131.111.8.140 smtp.hermes.cam.ac.uk
>
> This is necessary because our reverse DNS refers to the host's name
> not the service name. If your DNS is differently set up you might
> be able to use a dnsdb lookup.
>
a simple encoding of the interface address in the certificate
name is another solution, perhaps with symlinks to allow for easy tracking
of what is what..
For instance:
tls_certificate = CERTS/server/$interface_address
and in CERTS/server you could have
x.y.z.t -> smtp.blah.blah.pem
x.y.z.t1 -> smtp.blah.blah.pem
smtp.blah.blah.pem
that would represent the setup for an smtp server with two interface
addresses.
A simple script would be able to keep this in synch by doing DNS A lookups
on all names of pem certs in this directory.
Giuliano
