On 10/23/2013 03:34 PM, Russell Beall wrote:
I am working out the best way to enable SSL in a new 389 directory suite setup. I found that when updating the SSL certificate, there are problems with the symmetric keys used for attribute encryption. The instructions simply say to delete those entries and have the directory create new keys on startup after a certificate update.
This worries me because if there is encrypted data locked to the lost keys, wouldn't that remain unrecoverable?
Unless you are actually using attribute encryption, you don't have to
worry about this at all.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_and_Maintaining_Databases-Database_Encryption
Especially this:
"WARNING
If the SSL certificate is expiring and needs to be renewed, export the
encrypted backend instance before the renewal. Update the certificate,
then re-import the exported LDIF file."
basically, backup your old cert/key, then
# db2ldif -n dbname -E
to dump your data unencrypted, then change your cert/key, then
# ldif2db -n dbname -E
to load your data and encrypt with the new key
Is there a best practice regarding installation of SSL certificates? Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)?
I'm not sure what you mean. 389 supports regular certs that you obtain
from a 3rd party CA. You should not have to create self signed certs if
you do not want to.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html
Thanks,
Russ.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
