Thanks very much Gavin for all your help. All is working as it should.
-Ivan
Gavin Henry wrote:
----- "Ivan Ordonez" iordonez@nature.berkeley.edu wrote:
Few more questions Gavin.
Our primary domain controller certificate is also expiring next month. What is the best way to handle this? Does the certificate and keys on the backup domain controller has any connection to the certs and keys of the primary domain controller and the other backup domain controller?
Other than being signed by the Certificate Authority, none. As long as you use the same FQDN for the certs as before and the CA doesn't change, then all is good.
I would be relieve to hear that I can make brand new certificate and keys for each machine and they have no connection with each other.
Thanks for all your help.
-Ivan
ghenry@OpenLDAP.org wrote:
----- "Ivan Ordonez" iordonez@nature.berkeley.edu wrote:
Looking at the debug log, it is expired. It puzzle me because the certs on the other two machine are working correctly. Check their expiry dates with:
openssl x509 -in /usr/local/etc/openldap/ldap-slave_cert.pem -text
Since this is the case (certificate expires), is it safe to create a new one for this machine? Of course, then sign it with the cacert, something like:
./CA.sh -newreq ./CA.sh -sign
openldap-technical@openldap.org