Moving the Certificate Authority From One Server to Another
Novell Cool Solutions: Feature
Digg This -
Posted: 26 Jun 2002
Here's some good information from Novell engineering about CA (Certificate Authority) moves:
Moving the CA from one server to another is supported with Certificate Server v 2.21 or better. The versions of certificate server shipping with NetWare/eDirectory are the following:
- NetWare 6.0: CertServer 2.21
- eDirectory 8.6.x NetWare/NT: CertServer 2.23
- eDirectory 8.6.x Solaris/Linux: CertServer 2.20
Backup restore of the CA is supported with NetWare 6.0 and eDirectory 8.6.x on NetWare and NT. It is not supported on eDirectory 8.6.x for UNIX.
This functionality is available through ConsoleOne. From the properties view of the CA object, click on the certificates tab, then click on the Export button, select to export the private key along with the certificate, and procede through the wizard.
Test by importing the CA into another tree and validate that you can create new certificates.
Import is available through the create CA (NDSPKI:Certificate Authority) wizard. Once you are satisfied that this is working, go back to your first tree, delete the CA object, and recreate a new CA object, but select the import option. During the import, the wizard will ask you to specify a server. The server you specify must be running Certificate Server 2.21 or better (i.e. installed with NetWare 6.0 or later, or installed with eDirectory 8.6.x or later).
You can only export the CA if it was created with Certificate Server v2.21 or later. This is because versions prior to v2.21 did not set the CA's private key to be extractable from NICI.
If you upgraded from NetWare 5.1 or from eDir 8.5 and you did not recreate the CA with version 2.21 of Certificate Server or better, it will not be exportable.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com