The SSL engine has 'nsSSLPersonalitySSL' to declare which certificate should be used for SSL.
It would be useful for the attribute encryption engine to have a similar option so that, if not set, by default it would use the SSL cert, but optionally it could be set so that a different certificate can be selected by name so that the two can be separated.
In this way, SSL certificates can be updated every couple of years when they expire, but the attribute encryption certificate can be set to a long-lived self-signed certificate which does not have to change (thus requiring data export/reimport) when the public facing cert does.
some related references: sf 00691794 - bz 893178 - attrcrypt_decrypt_entry: FAILING because decryption operation failed sf 00923022 - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1024451
Metadata Update from @nkinder: - Issue set to the milestone: 1.3.6.0
Metadata Update from @mreynolds: - Custom field component reset (from Security - SSL) - Issue close_status updated to: None - Issue set to the milestone: 1.4 backlog (was: 1.3.6.0)
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field reviewstatus adjusted to None - Issue tagged with: RFE
We'll look at this in https://pagure.io/389-ds-base/issue/49525
Metadata Update from @mreynolds: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/909
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: duplicate)
Login to comment on this ticket.