In anticipation of the last two posts on Single sign-on (SSO)/Identity and access management (IAM) for Nethserver being moved here, where I think they’d fit better, I’ll address them here.
On the question of certificates: as I say in the installation instructions, assuming you’re already using the Neth GUI’s facility for a Let’s Encrypt certificate, and you’re using (as most everything on the system really wants you to) the default certificate for everything, it’s easy. In the Cockpit GUI, go to System -> Certificates and click on Let’s Encrypt certificate. This will bring up a window listing all the names currently on the default system cert. Use the Add domain button at the bottom to add the hostnames for the portal and the manager (by default, auth.yourdomain and manager.yourdomain), then click the Request button. The system will request a new certificate, covering all the existing hostnames in addition to the two new ones. It will also renew that cert as necessary, and you shouldn’t need to deal with it again.
If you want to use a separate cert, of course, you’re free to do so, but then its creation or renewal will be your responsibility. If you use certbot to obtain it, you’ll need to set up a daily cronjob to run certbot renew (and make sure --post-hook "/sbin/e-smith/signal-event certificate-update" is part of the command you run to obtain the cert).
On the z-lemonldap-ng-handler.conf file, I hadn’t templated that one or the API .conf file, as I’m not really using them so far–but it looks like the default files are causing some problems. I’ll get an update out shortly to address those.