On 01/09/13 23:48 -0500, Adam Wolfe wrote:
I am looking at having to install a new ca cert on our ldap server(s) and thus swapping out the client certs as well. This totals roughly 250 different machines.
I am wondering as to the easiest way to go about this. Is there some grace period that can be set to allow me to relax and get to all the clients over a week's time? Or possibly the ability to use two certs? Then just slowly remove the old ones from the clients?
This doesn't sound like an ldap specific issue, and there are better places to ask. But here's one approach:
1. Distribute your new CA certificate, along side your existing one, to all hosts.
2. Replace your host/client/server certs one at a time.
3. Remove the old CA certificate from all hosts.