On Oct 23, 2013, at 3:29 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote: > Unless you are actually using attribute encryption, you don't have to worry about this at all. Ok, as long as there are no side effects such as an encrypted changelog or passwords encrypted by those keys. I think I got mixed messages when poring through the message boards from the google search results. >> Is there a best practice regarding installation of SSL certificates? Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)? > > I'm not sure what you mean. 389 supports regular certs that you obtain from a 3rd party CA. You should not have to create self signed certs if you do not want to. Yes, I was able to install just the cert and CA cert chain from a 3rd party CA. The issue I was hoping to handle was perhaps to separate this cert and use it only on the SSL channels, and then perhaps also use a self-signed cert that could stay the same for long term use with attribute encryption. Then the SSL cert could be updated every few years without affecting attribute encryption and requiring the dump/reimport. Regards, Russ. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
