[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Best method to swap TLS cert/key/CA files

To: Patrick Laimbock <patrick@laimbock.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Best method to swap TLS cert/key/CA files
From: ML mail <mlnospam@yahoo.com>
Date: Tue, 19 Apr 2016 20:28:28 +0000 (UTC)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1461097709; bh=QSiNeJZYYmoSdUFF7c8ekhuOrKtHoaF6MqymWx4bhTA=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=eFU9cKyjVC5EZVHiiNqgIuvVflevYWrIWoLoFgJt6IZ2NZq1Bg8bx4TWnHt7wL6D5/HNLvB8Kc6lBh2IkHvEyiI5qELJN7ZW72q0gTon3JBwnyBrKJA5H3lKzDFTQiT+JKUV6/Gtz24SVvAMjQRH98dvzfAjdjLMWRIANyZ0hUp3p2Q0u+k08vb8OUmF2uRC7MT1M8FjfoTrUe7jiNrcZqKcE547DYUjcNm9uj+7aLOwfygCdz3SewtMraXAFTL/Ws7Bh1T56XtmwzK5w12sNZRZa7mlIyrM3/pJDx2AokUtBHpUUYgGnSN+gjVMNJbk9FVDakN33wsBRk+cEAE92g==
In-reply-to: <5715E69F.5020301@laimbock.com>
References: <5715E69F.5020301@laimbock.com>

Thanks Patrick for your suggestion about the symlink, I like it as it does not involve messing up my OpenLDAP installation by changing the base config...

Regards
ML

On Tuesday, April 19, 2016 10:06 AM, Patrick Laimbock <patrick@laimbock.com> wrote:
On 18-04-16 23:14, ML mail wrote:
> Hello,
>
> I would like to swap my self signed certificate including CA, cert and key with a new set of CA, cert and key files on my OpenLDAP 2.4.31 master and replica servers. What would be the best way to achieve that? Can I simply run an ldapmodify with the new values and then restart slapd? Is it as easy as that or are there any pitfalls I should take care of?
>
> Thank you in advance for your comments.
>
> Regards
> ML

Don't know if this is the best method but in my OpenLDAP config I have 
generic filenames for the CA, cert & key and then symlink them to the 
real certificates. For example:

olsTLSCACertificateFile: /etc/pki/tls/certs/openldap_ca.crt

# ls -l /etc/pki/tls/certs/
...
lrwxrwxrwx. 1 root root    3826 mrt  3 22:24 
/etc/pki/tls/certs/openldap_ca.crt -> /etc/pki/tls/certs/my_real_CA.crt
...

If I need to update the certificates I just switch the symlinks over to 
the new certificates and restart OpenLDAP.

If you have SELinux enabled, make sure that the new certificates have 
the proper security contexts before switching symlinks and restarting 

OpenLDAP.

HTH,
Patrick

References:
- Re: Best method to swap TLS cert/key/CA files
  - From: Patrick Laimbock <patrick@laimbock.com>

Prev by Date: Re: passwd changes and idassert-authzFrom
Next by Date: Re: memberuid value should be DN or RDN or both woks
Index(es):
- Chronological
- Thread