It's a matter of preference. Those 'huge clunky files' are easy to parse from the command line. When it's time to renew the cert, I can simply update the parts that were updated (usually just the host cert) rather than having to generate a new hash.
I understand where you're coming from, but I prefer this way. It really is easier to trace/fix/replace.
Or perhaps I'm misunderstanding you.
- chris
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Thursday, August 14, 2014 11:17 AM To: Chris Jacobs; Andrew Devenish-Meares; openldap-technical@openldap.org Subject: RE: CA and Intermediate Certificates
--On Thursday, August 14, 2014 10:22 AM -0700 Chris Jacobs Chris.Jacobs@apollo.edu wrote:
# grep TLS.*File slapd.conf TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
Or just use TLSCACertificatePath and hash the CA certs, rather than using huge clunky files...
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.