Susan wrote:
I was looking through the script from the wiki and I saw this line: ../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" ..... Wouldn't it be better to change that to -n "`hostname`" or something like that because when you create certs for multiple servers, they all end up being called Server-Cert which causes confusion. What do you guys think?
Server-Cert is a hold over from our Netscape days. It's been the default certificate nickname for all the products for as long as I can remember (so at least 8 years).
This script seems designed to get one host setup for SSL, not to setup multiple servers (e.g. for MMR) each with their own server cert.
It does provide a good basis for issuing multiple certs and demonstrates how to do it in a safe way (by not writing over databases, re-issuing certs with conflicting nicknames, etc).
Ideally you will use a real CA to issue the server certificates. Self-signed CA's are bad, bad, bad. You don't want your users to get in the habit of accepting unknown server certificates (though I guess this applies more to web servers than LDAP servers).
rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
