Some Questions re:OpenDJ SSL Certificate Basics

This topic has 2 replies, 2 voices, and was last updated 5 years, 10 months ago by Mark Drummond.

  • Author
    Posts
  • #14354
     Mark Drummond
    Participant

    Basic stuff, but looking for some validation:

    1. During ./setup, the admin port is always configured with a self-signed certificate, even if you specify a keystore and cert (the specified keystore and cert are only used for the LDAPS port).

    2. If you specify a keystore during ./setup, opendj assumes you have already created an associated truststore in the same location?

    Any ProTips on scripting / automating SSL setup? My first thought was to create the various keystores myself under /etc/opendj/security, do a non-SSL install, and then dsconfig commands to configure SSL and point at the keystore files in /etc/opendj/security.

    On the other hand, I like sticking with default values wherever possible so maybe doing a self-signed cert install and then keystore and dsconfig commands to update the keystore files in config/ is the way to go.

    #14372
     Ludo
    Moderator

    Hi Mark,

    I think our default setup tool tend to separate too much the different use of certificates.
    We will be changing and simplifying the default setup soon.
    I would think that the way to go is to create a single keystore/truststore and reference it for all usages, using dsconfig to configure the server.

    #14444
     Mark Drummond
    Participant

    I agree. Maybe there are good reasons for separating these things out, but it does seem like a good bit of unnecessary work. I Like the idea of a single key/truststore.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?