November 18, 2016 at 6:58 pm #14354Mark DrummondParticipant
Basic stuff, but looking for some validation:
1. During ./setup, the admin port is always configured with a self-signed certificate, even if you specify a keystore and cert (the specified keystore and cert are only used for the LDAPS port).
2. If you specify a keystore during ./setup, opendj assumes you have already created an associated truststore in the same location?
Any ProTips on scripting / automating SSL setup? My first thought was to create the various keystores myself under /etc/opendj/security, do a non-SSL install, and then dsconfig commands to configure SSL and point at the keystore files in /etc/opendj/security.
On the other hand, I like sticking with default values wherever possible so maybe doing a self-signed cert install and then keystore and dsconfig commands to update the keystore files in config/ is the way to go.November 21, 2016 at 2:18 pm #14372LudoModerator
I think our default setup tool tend to separate too much the different use of certificates.
We will be changing and simplifying the default setup soon.
I would think that the way to go is to create a single keystore/truststore and reference it for all usages, using
dsconfigto configure the server.November 23, 2016 at 3:32 pm #14444Mark DrummondParticipant
I agree. Maybe there are good reasons for separating these things out, but it does seem like a good bit of unnecessary work. I Like the idea of a single key/truststore.
You must be logged in to reply to this topic.