Tool

(View Disclaimer)

The Certificate Creation script recreates the certificates on OES1, OES2, and OES 11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:

32 and 64 bit OES1, OES2, and OES 11 are currently supported.

Script Process:

1. Prechecks are done to verify if the current certificates are good.
2. The following files are backed up with the date and time appended.
   

   /etc/ssl/servercerts/servercert.pem
   /etc/ssl/servercerts/serverkey.pem
   /var/lib/novell-lum/x.x.x.x.der
   /etc/opt/novell/SSCert.pem //OES1
   /etc/opt/novell/certs/SSCert.pem //OES2 and OES 11

3. Creation of new Certificates
   

   /etc/ssl/servercerts/serverkey.pem
   /etc/ssl/servercerts/servercert.pem
   /etc/opt/novell/SSCert.pem //OES1
   /etc/opt/novell/SSCert.der //OES1
   /etc/opt/novell/certs/SSCert.pem //OES2 and OES 11
   /etc/opt/novell/certs/SSCert.der //OES2 and OES 11
   /var/lib/novell-lum/x.x.x.x.der	

4. Postchecks are done to verify if the new certificates are good.
5. Reloads services (optional but recommended)
   

   owcimond
   nldap
   namcd
   apache2	

Installation Instructions for Version 2 & 3:

1. Download certificate-creation-3.0.tbz
2. Open a Terminal window and type “su”
3. Enter root’s password
4. Extract the script from the tarball
   #tar –xjvf certificate-creation-3.0.tbz
5. Make the script executable.
   #chmod 755 certificate-creation.sh
6. Delete current eDirectory certificates.
   
   1. In iManager, go to Novell Certificate Access -> Server Certificates.
   2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
   3. Select all certificates in the list and click delete.
7. Delete the SAS Service Object.
   
   1. In iManager, go to Novell Certificate Access -> SAS Service Object.
   2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
   3. Check the box next to the SAS Service object and click delete.
8. Go to the terminal opened in step #2 and type "ndsconfig upgrade". This will create new eDirectory certificates for this server.
9. Export the Personal Information Exchange File using iManager.
   
   1. In iManager, go to Directory Administration -> Modify Object
   2. Select the SSL CertificateDNS - YourServerName certificate object, which by default is in the same eDirectory context as your server object and click OK
   3. Go to the Certificates tab of the certificate object and click Validate. It should come back as Valid.
   4. Select Export.
   5. Select "Export private key" and "Include all certificates in the certification path if available."
   6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
   7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
10. Run the certificate-creation.sh script
    #./certificate-creation-3.0.sh -f /directory/fileName.pfx -c o=Organization -l -r

Installation Instructions for Version 1.x:

1. Download certificate-creation-1.1.tbz
2. Open a Terminal window and type “su”
3. Enter root’s password
4. Extract the script from the tarball
   #tar –xjvf certificate-creation-1.1.tbz
5. Make the script executable.
   #chmod 755 certificate-creation.sh
6. Export the Personal Information Exchange File using iManager.
   
   1. In iManager, go to Directory Administration -> Modify Object
   2. Select the SSL CertificateDNS - YourServerName certificate object, which by default is in the same eDirectory context as your server object and click OK
   3. Go to the Certificates tab of the certificate object and click Validate. It should come back as Valid. If not, there is something wrong with your Certificate Authority and you should rectify this problem and regenerate the certificates before continuing.
   4. Select Export.
   5. Select "Export private key" and "Include all certificates in the certification path if available."
   6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
   7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
7. Run the certificate-creation.sh script
   #./certificate-creation-1.1.sh -f /directory/fileName.pfx -c -r

Fixes and Enhancements:

Version 1.1
1. The script will now check if your are root
2. OES2 x86_64 is now supported
3. A relative path to the .pfx file can now be used.

Version 2.0
1. This script will now do pre and post checks to see if the certificates are good or bad
2. Color was also added for easier reading

Version 3.0
1. No longer displays the password when the ldap search throws an error

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.