directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: Certificate handling
Date Wed, 10 Apr 2013 16:08:37 GMT
Hi Emmanuel,

On 10 avr. 2013, at 17:58, Emmanuel L├ęcharny <elecharny@gmail.com> wrote:

> We have some issue with the way we manage certificates in ApacheDS atm.
> 
> Currently we store the certificate and the private key in the
> uid=admin,ou=system entry. Or we use an external keystore file, which
> should contain only one certificate.
> 
> This is not possible to store another certificate in uid=admin using
> Studio, unless you have access to the prvate key and have encoded it in
> base64 befoe sending it. Nt really convenient.
> 
> But more than that, there is no reason to store the certificate within
> the admin user, when it's only use by the LdapServer. The certificate
> used to establish SSL or TLS should be associated with the LdapServer
> configuration, thus being stored into the condif partition.

BIG +1.
It will be much easier for our users who won't have to jump between this dual-concept, one
being stored in the configuration while the other which was stored in the admin user (that
I understand from a technical and historical POV, but which always annoyed me from a user
POV).


> Second point : atm, when the server is started and if we don't have any
> certificate, then the server will generated a self-signed certificate,
> which is very handy for those who want to be up and running quickly. But
> the risk is that this self-signed certificate remains the one used forever.
> 
> There is no reason to generate a self-signed certificate at startup,
> except that it's convenient.
> 
> I'm not sure we should change that in 2.0, it's a bit too heavy. We can
> change that in a future version.

That's to me, one of the greatest points of ApacheDS. When you want to try out an LDAPS or
StartTLS connections, you don't have to run into those cryptic "openssl" commands to generate
a self-signed certificate, just for a dev or test environment.
A real no-brainer and time savior...


> I will cancel the vote for 2.0-RC1, and mobe the certificate to config,
> if nobody objects.
> 
> thoughts ?

I'm all for it!
And it's really the right time to do it.


Regards,
Pierre-Arnaud

> 
> -- 
> Regards,
> Cordialement,
> Emmanuel L├ęcharny
> www.iktek.com 
> 


Mime
View raw message