Novell Certificate Server incorporates a process that maintains the health and integrity of the Certificate Server components. This process is called the PKI Health Check and it runs when:
The server reboots.
eDirectory comes up.
DSRepair finishes running.
When PKI Health Check runs, it performs the following tasks:
Table 4-2 PKI Health Check Tasks
Task |
Function |
---|---|
Verifies the server’s link to the SAS Service object |
This task checks to see if there is a link from the server object to a SAS:Service object. If the link exists, the task makes sure that the object is named correctly and is in the same context as the server. If the link does not exist, the task checks to see if a correctly named object exists in the same context as the server. If such an object exists, the task creates a link from the server to the object. |
Verifies the SAS Service object |
This task checks to see if a SAS:Service object exists. If it does not exist, the task creates one and creates a link from the server object to the new object. Then, the task checks to see if the SAS:Service object has the necessary eDirectory rights. If it does not, the task attempts to give the SAS:Service object the rights it needs. |
Verifies the links to the KMOs |
This task reads the list of Server Certificate objects (or KMOs) that are linked to the SAS:Service object. It checks whether the KMOs are all named correctly and attempts to fix their names if they are not. The task also checks whether the KMOs are all in the same context as the server object and attempts to move them to the correct context if they are not. |
Checks the Server Certificates (KMOs) |
This task reads all the names of KMOs that are in the same container as the server object and puts them in a list. The task then performs the following for each KMO in the list:
|
Reverifies the links to the KMOs |
This task reads the list of Server Certificate objects (or KMOs) that are linked to the SAS:Service object. It compares each KMO in this list to the list created in Checks the Server Certificates (KMOs). Using the checks from Checks the Server Certificates (KMOs), the task determines if there are any problems with the linked certificates and it unlinks them if the KMO is unusable. The task also determines if there are any unlinked KMOs that are usable by this server and it links them, if they exist. |
Creates default certificates |
This task determines if Server Self-Provisioning is enabled at the Organizational CA object. If Server Self-Provisioning is not enabled, this step is skipped. If Server Self-Provisioning is enabled, then the task calls the NPKICreateDefaultCertificates() API. This API creates or replaces the SSL CertificateIP and the SSL CertificateDNS certificates if:
In addition, this API acquires all of the IP and DNS addresses configured for the server and it creates and/or replaces a certificate for each one, such as IP AG ip address or IP DNS dns name if:
|
Synchronizes certificates for external services |
This task reads the configuration from the SAS:Service object. For each configured entry, the task acquires the certificates and private key from the specified KMO object. If the specified directory does not exist, the task attempts to create it. The task then unwraps the private key and converts it to the specified raw-key format. The task compares any existing private key and certificate files to the ones from the specified KMO. If the keys and certificates are not the same, the task makes a backup of the existing private key and certificate files and then it overwrites them with the private key and certificates. The keys are written out in a PEM format. |
Exports the eDirectory CA certificate to the file system |
The way in which this task is accomplished depends on the operating system you are running.
|