Digital certificates are essential for securing network-wide and intranet communications in an OES environment. The certificate can be signed and issued by an eDirectory Certificate Authority (CA), your organizational CA or a third-party CA.
Until OES 2023, some services that provide secure communication have their default settings configured to use a self-signed server certificate created by YaST. Instead of using self-signed certificates, we recommend, you use an eDirectory server certificate or a CA-signed certificate because they provide more security and trust than the former. For more information on eDirectory Certificate Server, see Understanding the Certificate Server in the NetIQ eDirectory Administration Server
The following issues arise because many OES services need certificates:
Self-signed certificates offer a minimal level of security and trust.
Certificate expiration:
Services are stopped.
The OES services are not trusted by the clients.
When a certificate is about to expire, the administrator is not notified. As a result, certificate expiration is challenging to avoid.
No details of services using the certificates, their path and format.
Insufficient documentation.
We have implemented the following to address all certificate-related issues:
By default, all services on OES are configured to use eDirectory server certificates.
New component help in certificate management on OES.
Centralized certificate management helps administrators in managing the certificate lifecycle. The features are:
Mail notifications notify the administrator and the root user of the certificates' impending expiration.
Indicates where each service's certificates can be found.
Indicates the certificate's type, such as whether it is self-signed or CA-signed.
Indicates whether the certificates are still valid.
Reconfigures the OES services to use a new certificate when certificates are invalid, corrupted or expired.
A browser-based tool (Unified Management Console, or UMC) that enables remote management of certificates across servers will be available in the upcoming releases.
This section describes the procedures to install and use centralized certificate management on the OES server.