A Forum reader recently asked:
"I have been at a number of places now where DirXML or IDM is installed. Certificates work fine, no one touches them ... and then they suddenly fail.
If it is 2 years after the initial install, it is a dead giveaway a Cert expired."
And here are responses from David Gersic and Yancey Yeargan ...
When setting up an IDM driver with certificates, I *always* create my own certificate just for the driver to use. The expiration date on it is set to "max". Always. That way, the silly thing doesn't expire and stop working on me.
Yes, I got bit by that once too. That's why I do it this way now, so as not to get bitten by it again. Similarly, for LDAP, I create it's own certificate for that too. I don't use the default ones for anything.
As someone who uses custom SSL certs for IDM, LDAP, and some web servers, I developed a pattern of setting up a cron job to e-mail me about two weeks before a cert will expire. I adjust the cron job each time I renew a certificate.
If you are doing eDir-to-eDir synchronization, you must still have one tree sign the other's cert (or have a third-party CA sign both certs). If any of the certs are signed by a high-profile CA (like Verisign, Thawte, etc.), you would have to go through the renewal process manually, anyway.
Of course, pkidiag is convenient if all your certs are signed by your own tree's CA, but not all of us have the luxury to use it that way.