Required OES SSL Certificates compared to SLES Certificates

Can some one point me to documents that explain or help me understand what SSL certificates are required in an OES server and what the difference is between the certificates in eDirectory and those of the SLES server itself? I am confused as to which ones are necessary and which ones are left over from earlier upgrades. Recently I saw that the certificates were expiring and so used iManager to renew them. They all appeared to be renewed properly but one.

I have two OES 2015 SP1 / SLES 11 SP4 servers in the eDirectory tree. In eDir, I see the following certs:

DNS AG 192\.xxx\yyy\.2 - server2.DOMAIN
DNS AG server1\.ourdomain\.com - server1.DOMAIN
DNS AG server2\.ourdomain\.com - server2.DOMAIN
IP AG 192\.xxx\yyy\.2 - server2.DOMAIN
IP AG 192\.xxx\yyy\.1 - server1.DOMAIN
SSL CertificateDNS - server1
SSL CertificateDNS - server2

When I ran the 'Repair Default Certificates' in eDir, it repaired all except the first one. Also, note that I don't have a corresponding "DNS AG 192\...." for server1, only for server2. Is this type of certificate not necessary?

Then when I look at the SLES certificates thru the Yast Certificate Authority app, it has completely different start and end dates for the 'Valid From' and 'Valid to' dates.

So the other question is when do the various certificates get used? Do the SLES certificates ever get used because I have seen OES servers where the SLES CA and Server certs are no longer valid but the server seems to be operating fine as long as the eDir Certificates are valid.

One more thing, which certificate is used for LDAP authentication to the server? One of the nice things about ZENworks Configuration Mangement 2017 SP4 is that it tells you 90 days ahead of time when a server certificate will expire but it doesn't say which certificate it is concerned about. I'm using LDAP authentication from ZENworks to the server.

Any help would be appreciated.

  • SLES Certificates are independed from eDir-Certs. You can use YaST to manage these certs if you need them for certain services. They are not used in OES-Services.

    LDAP relies on eDir certs. So renew all certs via  iManager (set renew all, not only the outtimed), and restart the server. This should bring the certs from eDir to the host. (Not needed to say that the eDir should be healthy, et. al.

    Then you can export the eDir CA (w/o private key) and import them to the hosts who do a ldaps connection to the eDir.

    After this you can delete all outtimed(!) certs in iManager. These are useless.