For most organizations, the eDirectory certificate solution in OES 2 is an ideal way to eliminate the security vulnerabilities mentioned at the beginning of this chapter. However, some administrators, such as those who have third-party keys installed on their servers, probably want to keep their installed certificates in place.
You can prevent the use of eDirectory certificates for HTTPS services by making sure that the option to use them is not selected on the first eDirectory configuration page. This might or might not require that you change the eDirectory installation option, depending on your scenario.
Table 23-2 outlines the default setting for each scenario.
Table 23-2 Default eDirectory Certificate for HTTPS Settings
|
Scenario |
Certificate Option Setting |
Default Result |
If you Change the Default Setting |
|---|---|---|---|
|
New install |
Selected |
All HTTPS services on the server are configured to use eDirectory certificates. |
All HTTPS services on the server are configured to use the YaST-generated temporary certificates. |
|
Add-on to SLES 10 or post-install |
Selected |
All HTTPS services on the server are configured to use eDirectory certificates. |
The current service certificates and configurations are retained. |
|
Upgrade from OES 1 |
Selected |
All HTTPS services are configured to use eDirectory certificates. |
The current service certificates and configurations are retained. |
|
Upgrade from OES 2 or OES 2 SP1 |
The same option is used as when OES 2 was installed |
HTTPS service settings are retained. |
No effect. Once the option to use eDirectory certificates has been used, the behavior can only be changed in eDirectory through iManager. |