directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: [ApacheDS] Setting up my own certificate for SSL
Date Thu, 18 Dec 2008 01:08:50 GMT
Stefan Zoerner wrote:
> Hi all,
> I am facing some problems with the current (since 1.5.3, I assume) SSL 
> configuration. In earlier days, it was possible to provide a keystore 
> with the public/private key, certificate etc. here
> Now, the server creates a keypair when it starts the first time and 
> stores it in the entry uid=admin,ou=system, in different attributes.
> To be honest: This is an example why our documentation is so bad. The 
> old behavior has been well described in the docs. Someone changed it 
> completely, and did not update the docs. Same situation holds true for 
> the whole configuration. :-(
/me and the dev team hiding under a rock ...
> Nevertheless, the new SSL functionality seems to be simpler, because 
> it is possible to set it up automatically. But if I plan to use a 
> custom certificate, it should be at least possible. Today, there was a 
> corresponding question on the user list.
> I wanted to update the docs to reflect the changes, and I am still 
> trying to figure out, what an easy way for our users would be.
> A question for the current implementation: Is there any way to 
> configure/influence the key creation at startup? I assume no, but 
> perhaps I am missing something.
> Currently, the only way to set up my own certificate is modifying the 
> attribute values for uid=admin,ou=system
> This is not an easy task, because we do not have any tools for that. 
> There is no wizard in Studio yet. Even if there would be one -- it 
> should be possible without a UI client, ...
> I was able to store my private key, but I am a little bit confused 
> about some attribute. What exactly is contained in userCertificate and 
> what in publicKey?
> I assume, userCertificate holds the certificate the server presents to 
> client. But why do we need publicKey as well. I think it is contained 
> in the userCertificate. No?
I gonna check that. You know, to be honest, if I started to update the 
page about configuration, it's because I was totally lost in 
configuration. I can read the code, but there are many new parameters I 
don't know about. At some point, as I needed to add a new configuration 
parameter, I just told me "look, emmanuel, this is an insane 
situation... You can't even figure out what should be found in the 
server.xml, and what is valid or invalid... Time to write doco !"

So I started ...

It's not specially funny, and I can feel the pain for those who created 
the initial doco, seeing all what they did totally FU. Not to mention 
our users !

So, time to wake up and kick some asses !

/me writing docs ;)

cordialement, regards,
Emmanuel L├ęcharny

View raw message