Novell is now a part of Micro Focus

Using PKIDiag to Detect and Repair Certificate Problems

Novell Cool Solutions: Trench
By Andreas Bach

Digg This - Slashdot This

Posted: 12 Aug 2002

Recently, I had corrupted part of my tree and couldn't create SSL certificates or use the ones I had.

Specifically, I couldn't use any of the following:

  • SSL CertificateIP (which contains the IP address of the server)
  • SSL CertificateDNS (which contains its DNS name)
  • AcmeCorp Wildcard Certificate (which contains *

I wanted these, not for use with my web server, but with NoRM (NetWare Remote Manager), so that I could surf in and get files off of my server in an encrypted fashion.*

I tried to create new certificates (errors!). I re-installed certificate server (Okay, but still can't mint certs!).

With no certs, no SSL! (This is NW5.1 SP4, if that matters).

Turns out there is a magic little utility that fixed all my problems the second time I ran it. Like DSRepair, it fixed some things first pass, and fixed more the second pass.

It is called PKIDiag and its on the site (and in TIDS etc).

It did the following:

  • Step 1 - Verified the link to the SAS Service Object.
  • Step 2 - Verified the SAS Service Object is linked back to the Server.
  • Step 3 - Verified the link to the KMOs from the Server.
  • Step 4 - Verified the KMOs are useable by the Server.
  • Step 5 - Created IP and DNS Certificates if necessary.

All without running ConsoleOne or NWAdmin32!

For example, here's what happened the first pass:

--> The server's default DNS address is:
Error: A SSL CertificateDNS does not exist
--> Subject Name for SSL CertificateDNS is:
--> Successfully created certificate --- Starting the store process.
--> Created SSL CertificateDNS.


The last step also allows one to create new certificates with different IP addresses or DNS names in them. So I made one called "www acmecorp ca" that contains the internal name:

I then use it to load the NetWare Remote Manager: (formally known as NetWare Portal)

>> begin nrm.ncf >>
# NoRM will connect to the FIRST card bound as listed in
# INETCFG | View Config | Bind Statements
# You can re-arrange these by deleting and re-adding
# your preferred "second" or Private card.
# In my case, I'm happy to let it bind inside first,
# as I'm using DHCPCLnt.nlm to get an address from my ISP.

load httpstk.nlm /HOSTIDS:1 /SSL /keyfile:"www acmecorp ca"
load portal.nlm

# Connect Portal to outside address also!
HTTPBIND /keyfile:"www acmecorp ca"
>> end nrm.ncf >>

So to get any file on my server when I'm away, its just a quick surf to:

Hopefully this will be of assistance when you're troubleshooting Certificate issues!


* For more info on remote NW 5.1 file access through a browser, please see:

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Micro Focus