Susan wrote:
I was looking through the script from the wiki and I saw this line:

../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory 
Server" .....

Wouldn't it be better to change that to -n "`hostname`" or something like that 
because when you
create certs for multiple servers, they all end up being called Server-Cert 
which causes
confusion.

What do you guys think?



Server-Cert is a hold over from our Netscape days. It's been the default certificate nickname for all the products for as long as I can remember (so at least 8 years).

This script seems designed to get one host setup for SSL, not to setup multiple servers (e.g. for MMR) each with their own server cert.

It does provide a good basis for issuing multiple certs and demonstrates how to do it in a safe way (by not writing over databases, re-issuing certs with conflicting nicknames, etc).

Ideally you will use a real CA to issue the server certificates. Self-signed CA's are bad, bad, bad. You don't want your users to get in the habit of accepting unknown server certificates (though I guess this applies more to web servers than LDAP servers).

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Reply via email to