Alexander, I don't know if they only get read at startup or not... but it does bring up the question: Why?
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the user/group you use to run slapd). If there are others with root permission to this box that shouldn't or you don't want to have access to these files - you /really should/ fix that issue first. Then trust the file system permissions to do their job. Sadly, I suspect though that you're dead set on keeping the certs password protected, and won't be doing the above. However, you could always just /try/ - if it works, then you know the answer. Just get used to restarting/starting slapd being a needless PITA. Thanks, - chris -----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org] On Behalf Of Alexander Samad Sent: Monday, March 22, 2010 11:21 PM To: openldap-technical@openldap.org Subject: Fwd: tls private key Hi THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ? will this be okay until such a time as slapd get restart ? Alex ---------- Forwarded message ---------- From: Alex Samad <a...@samad.com.au> Date: Sat, Jan 16, 2010 at 6:03 PM Subject: tls private key To: openldap-technical@openldap.org Hi I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted. the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ? Alex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8 VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH =iN8i -----END PGP SIGNATURE----- This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
