[389-users] SSL simple (I hope) question

[Rich Megginson]

On 10/23/2013 05:33 PM, Russell Beall wrote:
> On Oct 23, 2013, at 3:29 PM, Rich Megginson <rmeggins at redhat.com> wrote:
>
>> Unless you are actually using attribute encryption, you don't have to worry about this at all.
> Ok, as long as there are no side effects such as an encrypted changelog
Yes, encrypted changelog is affected.
> or passwords encrypted by those keys.

No, passwords are generally hashed, not encrypted.

> I think I got mixed messages when poring through the message boards from the google search results.
>
>>> Is there a best practice regarding installation of SSL certificates?  Should I follow the self-signed cert steps and set a long lifetime on that cert, and then separate that from the SSL connectivity certificate (which we buy from an official certificate authority)?
>> I'm not sure what you mean.   389 supports regular certs that you obtain from a 3rd party CA.  You should not have to create self signed certs if you do not want to.
> Yes, I was able to install just the cert and CA cert chain from a 3rd party CA.  The issue I was hoping to handle was perhaps to separate this cert and use it only on the SSL channels, and then perhaps also use a self-signed cert that could stay the same for long term use with attribute encryption.  Then the SSL cert could be updated every few years without affecting attribute encryption and requiring the dump/reimport.

Ah, I see.  Yes, that would be nice, to have separate keys for SSL and 
encryption.  Please file an enhancement ticket.

>
> Regards,
> Russ.
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users