Using PKIDiag to Detect and Repair Certificate Problems
Novell Cool Solutions: Trench
By Andreas Bach
Digg This -
Posted: 12 Aug 2002
Recently, I had corrupted part of my tree and couldn't create SSL certificates or use the ones I had.
Specifically, I couldn't use any of the following:
- SSL CertificateIP (which contains the IP address of the server)
- SSL CertificateDNS (which contains its DNS name)
- AcmeCorp Wildcard Certificate (which contains *.acmecorp.ca)
I wanted these, not for use with my web server, but with NoRM (NetWare Remote Manager), so that I could surf in and get files off of my server in an encrypted fashion.*
I tried to create new certificates (errors!). I re-installed certificate server (Okay, but still can't mint certs!).
With no certs, no SSL! (This is NW5.1 SP4, if that matters).
Turns out there is a magic little utility that fixed all my problems the second time I ran it. Like DSRepair, it fixed some things first pass, and fixed more the second pass.
It is called PKIDiag and its on the http://support.novell.com/filefinder site (and in TIDS etc).
It did the following:
- Step 1 - Verified the link to the SAS Service Object.
- Step 2 - Verified the SAS Service Object is linked back to the Server.
- Step 3 - Verified the link to the KMOs from the Server.
- Step 4 - Verified the KMOs are useable by the Server.
- Step 5 - Created IP and DNS Certificates if necessary.
All without running ConsoleOne or NWAdmin32!
For example, here's what happened the first pass:
--> The server's default DNS address is: CPE0080c1dd1234.cpe.net.cable.rogers.com Error: A SSL CertificateDNS does not exist --> Subject Name for SSL CertificateDNS is: .O=ACMECorp.CN=CPE0080c1dd1234.cpe.net.cable.rogers.com --> Successfully created certificate --- Starting the store process. --> Created SSL CertificateDNS.
The last step also allows one to create new certificates with different IP addresses or DNS names in them. So I made one called "www acmecorp ca" that contains the internal name: www.acmecorp.ca
I then use it to load the NetWare Remote Manager: (formally known as NetWare Portal)
>> begin nrm.ncf >> # NoRM will connect to the FIRST card bound as listed in # INETCFG | View Config | Bind Statements # You can re-arrange these by deleting and re-adding # your preferred "second" or Private card. # In my case, I'm happy to let it bind inside first, # as I'm using DHCPCLnt.nlm to get an address from my ISP. load httpstk.nlm /HOSTIDS:1 /SSL /keyfile:"www acmecorp ca" load portal.nlm # Connect Portal to outside address also! HTTPBIND 126.96.36.199 /keyfile:"www acmecorp ca" >> end nrm.ncf >>
So to get any file on my server when I'm away, its just a quick surf to: https://www.acmecorp.ca:8009/sys/
Hopefully this will be of assistance when you're troubleshooting Certificate issues!
* For more info on remote NW 5.1 file access through a browser, please see: http://www.novell.com/coolsolutions/netware/features/trenches/tr_nw_files_from_browser_nw.html
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com