I am working out the best way to enable SSL in a new 389 directory suite setup. I found
that when updating the SSL certificate, there are problems with the symmetric keys used
for attribute encryption. The instructions simply say to delete those entries and have
the directory create new keys on startup after a certificate update.
This worries me because if there is encrypted data locked to the lost keys, wouldn't
that remain unrecoverable?
Is there a best practice regarding installation of SSL certificates? Should I follow the
self-signed cert steps and set a long lifetime on that cert, and then separate that from
the SSL connectivity certificate (which we buy from an official certificate authority)?
Thanks,
Russ.