Troubleshooting Certificate Server Problems
Novell Cool Solutions: Tip
Digg This -
Posted: 2 Jun 2004
Certificate problems can be difficult to spot - sometimes they are confused with other symptoms or errors. This article gets you started with recognizing and handling common certificate problems. For the complete details, refer to TID 10075982.
There are four basic phases in the troubleshooting approach:
- Access the certificate server
- Run PKDIAG.NLM
- Test the certificate authority
- Recreate needed certificates
|Accessing the Certificate Server|
- Try to hit the management portal on the public port at HTTP://SERVER_IP:8008.
- Log in and make sure the "http" statement changes to "https" and the port changes to 8009.
If the port is still 8008, you have SSL problems. In this case,
- Verify that the management portal modules (NILE.NLM, HTTPSTK.NLM, and PORTAL.NLM) are loaded.
- Verify that the HTTPSTK module loads successfully with the following switches: "LOAD HTTPSTK /SSL /keyfile:"SSL CertificateIP". Check this on Netware 6 by scrolling up the logger screen until you see the first load statement for the HTTPSTK module. In Netware 5.x, unload the module in order to reload it. This will have several dependent modules that will have to be unloaded as well.
- If HTTPSTK.NLM loads successfully with the additional two switches (/ssl and /keyfile), as well as the other two modules (NILE and PORTAL), try to hit this server on its secure port: HTTPS://SERVER_IP:8009. If this fails, then you may have certificate server problems; if it succeeds, you have configuration problems unrelated to the certificate server, but possibly related to the certificate or port that these applications use.
- Assuming there are certificate server problems, run PKIDIAG.NLM on the server. This module is downloadable from the support.novell.com website, selecting the patches and files link. Search for the actual stand-alone file.
- Copy PKIDIAG.NLM into the SYS:SYSTEM directory.
- Run it from an admin login. At that point, it will pull up a simple menu option list.
- Select option 4 to toggle the mode to FIX.
- Select option 0 to run the repairs.
When it completes, look at the number of errors found and the number of errors fixed. If not all errors are fixed, review the errors listed. You may have SSL objects that are not successfully created.
|Testing the Certificate Authority|
If all errors are reported as being corrected, run the portal test again. If not all errors are corrected, then test again, this time testing the validity of the certificate authority.
Check the certificate authority. Do this by attempting to create a certificate for that server and by determining which server is the certificate authority, as follows:
- Go to ConsoleOne, browse the security container at the root of the tree, and look for the TREENAME Organizational CA object.
- View the properties of this object and note in the General tab which server is listed as the host server. This server is the certificate authority.
- Go to the container where this server object is found, highlight the container, right-click it, and select New > Object > NDSPKI: Key Material.
- Make sure you have the NICI client version 2.4.2 or later on your workstation running ConsoleOne. This is found at the download.novell.com website, under the product name select Novell International Cryptographic Infrastructure. If necessary, download and install this on your client.
- Select the certificate authority server, then name the certificate.
- Allow for the standard method of certificate creation, and select Next.
- At the next window, select Finish.
If you get blank screens or the install hangs, you have either client NICI problems or a ConsoleOne snap-in problem. If you get an error message after selecting FINISH, then you have either certificate server problems or NICI problems, depending on the error message. Certificate server errors start with -12xx, and NICI problems start with error number -14xx.
If you get error messages here, then your certificate authority is damaged, which means no other server in the tree will be able to create SSL certificates. The SSL certificates already present, if functional, will continue to function.
If this server's certificate server is broken, all other servers with certificate server are essentially broken in the same fashion. No new certificates will be created. The method of repairing this is to remove all instances of certificate server from the entire tree (namely all SSL and SAS objects), as well as the Organizational CA object found in the Security container, and reinstall certificate server on the server that you want to be the Certificate Authority. It is not necessary to reinstall Certificate Server on all the other servers in the tree, but you will need to delete the SAS and SSL certificates for the other servers in the tree and recreate them using PKIDIAG. PKIDIAG can be downloaded from http://support.novell.com/filefinder and is included with NetWare 6.5 SP1a. Simply load PKIDIAG on the server and run options 4, 5, 6, and then 0.
|Recreating Needed Certificates|
Assuming the certificate creates fine on the certificate authority, but the running of PKIDIAG did not recreate all certificates,
- Delete and recreate the SSL objects associated with this particular server, which are found in the same container as the server object. This must be done in Console One, and the same prerequisite NICI patch applies.
- After deleting the SSL objects, allow the eDir replicas to synch out the changes, or encourage them by running the dstrace commands: Set dstrace=*f Set dstrace=*h
- Verify that these obituaries have processed by running dsrepair > advanced options > check external references. If the obituaries have processed, then you can proceed with the creation of these certificates.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com