I received this question regarding LDAPS certificates and I want to make sure I provide a definitive answer. The issue I see is I'm not sure how AM would determine which cert to use.
Questions about LDAPS server certificates for identity sources
Is there any reason not to have extra certificates installed that aren’t currently needed, or currently valid?
I.e. when we know a server host certificate we’ve installed is going to expire soon, would it suffice to install a newer certificate, giving it a different name, rather than first deleting the currently-installed one so we can install the new one with the same name? Then, after, remove the old one just to be tidy?
And, is it necessary to install the current (short-lived) server host certificate, rather than just installing the (much longer-lived) CA root trust certificate? And even in that case, when _it_ expires years from now, can we install a newer one with a later enddate, and only after that’s installed remove the existing root certificate?
This implies the question, does the installation name we choose when we upload have to match the CommonName that the certificate is for, or can it be different?
Thanks for any illumination you can share; I’m not precisely and confidently certain how Authentication Manager uses its Identity Source Certificates.