On 03/12/2013 09:45 AM, Jon Detert wrote:
I managed to get 389-ds working with encryption. Whew. The project
should really update
http://directory.fedoraproject.org/wiki/Howto:SSL to make it simpler
to figure out. I'm willing to, but the wiki says "We are not ready to accept
contributions at this time."
send me a private email to rmeggins(a)redhat.com and
I can set you up with
an account
Anyway, I'm wondering what advantage(s) I'd have in using a 3rd-part signed cert
instead of a self-signed one? I admit - this question stems from my ignorance of how
clients certify servers.
I think I understand that when you use a self-signed cert, that you typically have to
'inform' a client about that cert, telling the client that it is trusted.
How would it be different if I used a 3rd-party (like GeoTrust) signed cert?
Assuming your certs are issued by a well known CA, you would not have to
install your self signed CA cert on all clients.
Do clients typically know about common CA's?
Yes.
Do they typically rely on the o.s. to define/supply the list of known
CAs?
Yes - either the OS or the package itself has a list of well known top
level CAs.
Here are some of the clients I need to talk ldaps to my ldap servers:
Zimbra
Liferay
Apache
openldap ldapsearch
Home-grown java code
Actuate
Thanks,