On 18-04-16 23:14, ML mail wrote:
Hello, I would like to swap my self signed certificate including CA, cert and key with a new set of CA, cert and key files on my OpenLDAP 2.4.31 master and replica servers. What would be the best way to achieve that? Can I simply run an ldapmodify with the new values and then restart slapd? Is it as easy as that or are there any pitfalls I should take care of? Thank you in advance for your comments. Regards ML
Don't know if this is the best method but in my OpenLDAP config I have generic filenames for the CA, cert & key and then symlink them to the real certificates. For example:
olsTLSCACertificateFile: /etc/pki/tls/certs/openldap_ca.crt # ls -l /etc/pki/tls/certs/ ...lrwxrwxrwx. 1 root root 3826 mrt 3 22:24 /etc/pki/tls/certs/openldap_ca.crt -> /etc/pki/tls/certs/my_real_CA.crt
...If I need to update the certificates I just switch the symlinks over to the new certificates and restart OpenLDAP.
If you have SELinux enabled, make sure that the new certificates have the proper security contexts before switching symlinks and restarting OpenLDAP.
HTH, Patrick