Novell Home

Using PKIDiag to Detect and Repair Certificate Problems

Novell Cool Solutions: Trench
By Andreas Bach

Rate This Page

Reader Rating  stars  from 5 ratings

Digg This - Slashdot This

Posted: 12 Aug 2002 		 

Recently, I had corrupted part of my tree and couldn't create SSL certificates or use the ones I had.

Specifically, I couldn't use any of the following:

  • SSL CertificateIP (which contains the IP address of the server)
  • SSL CertificateDNS (which contains its DNS name)
  • AcmeCorp Wildcard Certificate (which contains *.acmecorp.ca)

I wanted these, not for use with my web server, but with NoRM (NetWare Remote Manager), so that I could surf in and get files off of my server in an encrypted fashion.*

I tried to create new certificates (errors!). I re-installed certificate server (Okay, but still can't mint certs!).

With no certs, no SSL! (This is NW5.1 SP4, if that matters).

Turns out there is a magic little utility that fixed all my problems the second time I ran it. Like DSRepair, it fixed some things first pass, and fixed more the second pass.

It is called PKIDiag and its on the http://support.novell.com/filefinder site (and in TIDS etc).

It did the following:

  • Step 1 - Verified the link to the SAS Service Object.
  • Step 2 - Verified the SAS Service Object is linked back to the Server.
  • Step 3 - Verified the link to the KMOs from the Server.
  • Step 4 - Verified the KMOs are useable by the Server.
  • Step 5 - Created IP and DNS Certificates if necessary.

All without running ConsoleOne or NWAdmin32!

For example, here's what happened the first pass:

--> The server's default DNS address is: 
    CPE0080c1dd1234.cpe.net.cable.rogers.com
Error: A SSL CertificateDNS does not exist
--> Subject Name for SSL CertificateDNS is:
    .O=ACMECorp.CN=CPE0080c1dd1234.cpe.net.cable.rogers.com
--> Successfully created certificate --- Starting the store process.
--> Created SSL CertificateDNS.

SWEET!

The last step also allows one to create new certificates with different IP addresses or DNS names in them. So I made one called "www acmecorp ca" that contains the internal name: www.acmecorp.ca

I then use it to load the NetWare Remote Manager: (formally known as NetWare Portal)

>> begin nrm.ncf >>
# NoRM will connect to the FIRST card bound as listed in
# INETCFG | View Config | Bind Statements
# You can re-arrange these by deleting and re-adding
# your preferred "second" or Private card.
# In my case, I'm happy to let it bind inside first,
# as I'm using DHCPCLnt.nlm to get an address from my ISP.

load httpstk.nlm /HOSTIDS:1 /SSL /keyfile:"www acmecorp ca"
load portal.nlm

# Connect Portal to outside address also!
HTTPBIND 24.1.2.3 /keyfile:"www acmecorp ca"
>> end nrm.ncf >>

So to get any file on my server when I'm away, its just a quick surf to: https://www.acmecorp.ca:8009/sys/

Hopefully this will be of assistance when you're troubleshooting Certificate issues!

Andreas

* For more info on remote NW 5.1 file access through a browser, please see: http://www.novell.com/coolsolutions/netware/features/trenches/tr_nw_files_from_browser_nw.html

Reader Comments

  • Thank you very much. I was already very frustrated from PKI services, your solution is great.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell® Making IT Work As One

© 2009 Novell, Inc. All Rights Reserved.