directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel L├ęcharny <>
Subject Certificate handling
Date Wed, 10 Apr 2013 15:58:40 GMT
We have some issue with the way we manage certificates in ApacheDS atm.

Currently we store the certificate and the private key in the
uid=admin,ou=system entry. Or we use an external keystore file, which
should contain only one certificate.

This is not possible to store another certificate in uid=admin using
Studio, unless you have access to the prvate key and have encoded it in
base64 befoe sending it. Nt really convenient.

But more than that, there is no reason to store the certificate within
the admin user, when it's only use by the LdapServer. The certificate
used to establish SSL or TLS should be associated with the LdapServer
configuration, thus being stored into the condif partition.

Second point : atm, when the server is started and if we don't have any
certificate, then the server will generated a self-signed certificate,
which is very handy for those who want to be up and running quickly. But
the risk is that this self-signed certificate remains the one used forever.

There is no reason to generate a self-signed certificate at startup,
except that it's convenient.

I'm not sure we should change that in 2.0, it's a bit too heavy. We can
change that in a future version.

I will cancel the vote for 2.0-RC1, and mobe the certificate to config,
if nobody objects.

thoughts ?

Emmanuel L├ęcharny 

View raw message