Required OES SSL Certificates compared to SLES Certificates
I have two OES 2015 SP1 / SLES 11 SP4 servers in the eDirectory tree. In eDir, I see the following certs:
DNS AG 192\.xxx\yyy\.2 - server2.DOMAIN
DNS AG server1\.ourdomain\.com - server1.DOMAIN
DNS AG server2\.ourdomain\.com - server2.DOMAIN
IP AG 192\.xxx\yyy\.2 - server2.DOMAIN
IP AG 192\.xxx\yyy\.1 - server1.DOMAIN
SSL CertificateDNS - server1
SSL CertificateDNS - server2
When I ran the 'Repair Default Certificates' in eDir, it repaired all except the first one. Also, note that I don't have a corresponding "DNS AG 192\...." for server1, only for server2. Is this type of certificate not necessary?
Then when I look at the SLES certificates thru the Yast Certificate Authority app, it has completely different start and end dates for the 'Valid From' and 'Valid to' dates.
So the other question is when do the various certificates get used? Do the SLES certificates ever get used because I have seen OES servers where the SLES CA and Server certs are no longer valid but the server seems to be operating fine as long as the eDir Certificates are valid.
One more thing, which certificate is used for LDAP authentication to the server? One of the nice things about ZENworks Configuration Mangement 2017 SP4 is that it tells you 90 days ahead of time when a server certificate will expire but it doesn't say which certificate it is concerned about. I'm using LDAP authentication from ZENworks to the server.
Any help would be appreciated.
Re: Required OES SSL Certificates compared to SLES Certificates
SLES Certificates are independed from eDir-Certs. You can use YaST to manage these certs if you need them for certain services. They are not used in OES-Services.
LDAP relies on eDir certs. So renew all certs via iManager (set renew all, not only the outtimed), and restart the server. This should bring the certs from eDir to the host. (Not needed to say that the eDir should be healthy, et. al. 😉
Then you can export the eDir CA (w/o private key) and import them to the hosts who do a ldaps connection to the eDir.
After this you can delete all outtimed(!) certs in iManager. These are useless.