Thanks very much Gavin for all your help.  All is working as it should.

-Ivan

Gavin Henry wrote:
----- "Ivan Ordonez" <iordonez@nature.berkeley.edu> wrote:

  
Few more questions Gavin.

Our primary domain controller certificate is also expiring next month.
What is the best way to handle this? Does the certificate and keys on
the backup domain controller has any connection to the certs and keys
of the primary domain controller and the other backup domain
controller?
    

Other than being signed by the Certificate Authority, none. As long as
you use the same FQDN for the certs as before and the CA doesn't change, 
then all is good.

  
I would be relieve to hear that I can make brand new certificate and
keys for each machine and they have no connection with each other.

Thanks for all your help.

-Ivan


ghenry@OpenLDAP.org wrote:

----- "Ivan Ordonez" <iordonez@nature.berkeley.edu> wrote:

Looking at the debug log, it is expired. It puzzle me because the
certs on the other two machine are working correctly. Check their
expiry dates with:

openssl x509 -in /usr/local/etc/openldap/ldap-slave_cert.pem -text

Since this is the case (certificate expires), is it safe to create a
new one for this machine? Of course, then sign it with the cacert,
something like:

./CA.sh -newreq
./CA.sh -sign