22.3 If You Don’t Want to Use eDirectory Certificates

For most organizations, the eDirectory certificate solution in OES 2 is an ideal way to eliminate the security vulnerabilities mentioned at the beginning of this chapter. However, some administrators, such as those who have third-party keys installed on their servers, probably want to keep their installed certificates in place.

You can prevent the use of eDirectory certificates for HTTPS services by making sure that the option to use them is not selected on the first eDirectory configuration page. This might or might not require that you change the eDirectory installation option, depending on your scenario.

Table 22-2 outlines the default setting for each scenario.

Table 22-2 Default eDirectory Certificate for HTTPS Settings

Scenario

Certificate Option Setting

Default Result

If you Change the Default Setting

New install

Selected

All HTTPS services on the server are configured to use eDirectory certificates.

All HTTPS services on the server are configured to use the YaST-generated tempoary certificates.

Add-on to SLES 10 or post-install

Selected

All HTTPS services on the server are configured to use eDirectory certificates.

The current service certificates and configurations are retained.

Upgrade from OES 1

Selected

All HTTPS services are configured to use eDirectory certificates.

The current service certificates and configurations are retained.

Upgrade from OES 2

The same option is used as when OES 2 was installed

HTTPS service settings are retained.

No effect.

Once the option to use eDirectory certificates has been used, the behavior can only be changed in eDirectory through iManager.