On 10/23/2013 03:34 PM, Russell Beall wrote:
I am working out the best way to enable SSL in a new 389 directory suite setup.
I found that when updating the SSL certificate, there are problems with the
symmetric keys used for attribute encryption. The instructions simply say to
delete those entries and have the directory create new keys on startup after a
certificate update.
This worries me because if there is encrypted data locked to the lost keys,
wouldn't that remain unrecoverable?
Unless you are actually using attribute encryption, you don't have to
worry about this at all.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Creating_and_Maintaining_Databases-Database_Encryption
Especially this:
"WARNING
If the SSL certificate is expiring and needs to be renewed, export the
encrypted backend instance before the renewal. Update the certificate,
then re-import the exported LDIF file."
basically, backup your old cert/key, then
# db2ldif -n dbname -E
to dump your data unencrypted, then change your cert/key, then
# ldif2db -n dbname -E
to load your data and encrypt with the new key
Is there a best practice regarding installation of SSL certificates? Should I
follow the self-signed cert steps and set a long lifetime on that cert, and
then separate that from the SSL connectivity certificate (which we buy from an
official certificate authority)?
I'm not sure what you mean. 389 supports regular certs that you obtain
from a 3rd party CA. You should not have to create self signed certs if
you do not want to.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html
Thanks,
Russ.
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
