Susan wrote: > I was looking through the script from the wiki and I saw this line: > > ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... > > Wouldn't it be better to change that to -n "`hostname`" or something like that because when you > create certs for multiple servers, they all end up being called Server-Cert which causes > confusion. > > What do you guys think? > > Server-Cert is a hold over from our Netscape days. It's been the default certificate nickname for all the products for as long as I can remember (so at least 8 years). This script seems designed to get one host setup for SSL, not to setup multiple servers (e.g. for MMR) each with their own server cert. It does provide a good basis for issuing multiple certs and demonstrates how to do it in a safe way (by not writing over databases, re-issuing certs with conflicting nicknames, etc). Ideally you will use a real CA to issue the server certificates. Self-signed CA's are bad, bad, bad. You don't want your users to get in the habit of accepting unknown server certificates (though I guess this applies more to web servers than LDAP servers). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060329/2b036389/attachment.bin
