On 03/12/2013 09:45 AM, Jon Detert wrote:
I managed to get 389-ds working with encryption. Whew. The project should really update http://directory.fedoraproject.org/wiki/Howto:SSL to make it simpler to figure out. I'm willing to, but the wiki says "We are not ready to accept contributions at this time."
send me a private email to rmeggins@xxxxxxxxxx and I can set you up with
an account
Anyway, I'm wondering what advantage(s) I'd have in using a 3rd-part signed cert instead of a self-signed one? I admit - this question stems from my ignorance of how clients certify servers.
I think I understand that when you use a self-signed cert, that you typically have to 'inform' a client about that cert, telling the client that it is trusted.
How would it be different if I used a 3rd-party (like GeoTrust) signed cert?
Assuming your certs are issued by a well known CA, you would not have to
install your self signed CA cert on all clients.
Do clients typically know about common CA's?
Yes.
Do they typically rely on the o.s. to define/supply the list of known CAs?
Yes - either the OS or the package itself has a list of well known top
level CAs.
Here are some of the clients I need to talk ldaps to my ldap servers:
Zimbra
Liferay
Apache
openldap ldapsearch
Home-grown java code
Actuate
Thanks,
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
