We have some issue with the way we manage certificates in ApacheDS atm. Currently we store the certificate and the private key in the uid=admin,ou=system entry. Or we use an external keystore file, which should contain only one certificate.
This is not possible to store another certificate in uid=admin using Studio, unless you have access to the prvate key and have encoded it in base64 befoe sending it. Nt really convenient. But more than that, there is no reason to store the certificate within the admin user, when it's only use by the LdapServer. The certificate used to establish SSL or TLS should be associated with the LdapServer configuration, thus being stored into the condif partition. Second point : atm, when the server is started and if we don't have any certificate, then the server will generated a self-signed certificate, which is very handy for those who want to be up and running quickly. But the risk is that this self-signed certificate remains the one used forever. There is no reason to generate a self-signed certificate at startup, except that it's convenient. I'm not sure we should change that in 2.0, it's a bit too heavy. We can change that in a future version. I will cancel the vote for 2.0-RC1, and mobe the certificate to config, if nobody objects. thoughts ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
