This task is described in Chapter 2. See Creating an Organizational Certificate Authority Object .
This task allows you to generate certificates for cryptography-enabled applications that do not recognize Server Certificate objects.
Your Organizational CA works the same way as an external CA. That is, it has the ability to issue certificates from Certificate Signing Requests (CSRs). You can issue certificates using your Organizational CA when a user sends a CSR to you for signing. The user requesting the certificate can then take the issued certificate and import it directly into the cryptography-enabled application.
To issue a public key certificate using ConsoleOne:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Issuing a public key certificate.
Start ConsoleOne.
Click a container object.
On the menu bar, click Tools > Issue Certificate.
Paste a Certificate Signing Request (CSR) into the dialog box, or use the Browse button to locate a CSR file and open it in the dialog box.
Click Next.
Select the Organizational Certificate Authority (CA) to sign the certificate, then click Next.
Specify how the key is to be used, then click Next.
Specify the subject name, the validity period, and the effective and expiration dates, then click Next.
Review the parameters sheet. If it is correct, click Finish. If not, click Back until you reach the point where you need to make changes.
When you click Finish, a dialog box explains that a certificate has been created. You can save the certificate to the system clipboard in base64 format, to a base64-formatted file, or to a binary DER-formatted file. You can also click Details to view details about the issued certificate.
To issue a public key certificate using Novell iManager:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Issuing a public key certificate.
From the Roles and Tasks menu, click PKI Certificate Management > Issue Certificate.
Use the Browse button to locate a CSR file, open the file, then click Next.
Specify how the key is to be used, then click Next.
Specify the subject name, the validity period, and the effective and expiration dates, then click Next.
Review the parameters sheet. If it is correct, click Finish. If not, click Back until you reach the point where you need to make changes.
When you click Finish, a dialog box explains that a certificate has been created. You can save the certificate to the system clipboard in base64 format, to a base64-formatted file, or to a binary DER-formatted file. You can also click Details to view details about the issued certificate.
Besides the eDirectory rights and properties that can be viewed with any eDirectory object, you can also view properties specific to the Organizational CA, including the properties of the public key certificate and the self-signed certificate associated with it.
These properties provide you with the information that you need to perform any task related to this object.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Viewing the Organizational CAs properties and certificates.
Start ConsoleOne.
Double-click the Organizational CA object.
This brings up the property pages for the Organizational CA, which include a General page, a Certificates page, and property pages related to eDirectory.
Click the tabs that you want to view.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Viewing the Organizational CAs properties and certificates.
Start ConsoleOne.
Double-click the Organizational Certificate Authority object.
Click the Certificates tab.
Click the down-arrow to see the certificates available to view.
Click the Public Key Certificate.
This property page displays the fully-typed name of the subject, the issuer's fully-typed name, and the validity dates of the public key certificate.
To view additional information about an installed public key certificate, click Details.
The Details page displays information contained in the public key certificate on various tabs.
After you finish viewing the details, click Close, then click Cancel.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Viewing the Organizational CAs properties and certificates.
Start ConsoleOne.
Double-click the Organizational Certificate Authority object.
Click Certificates.
Click the down-arrow to see the certificates available to view.
Click Self-Signed Certificate.
The property page displays the subject's fully-typed name, the issuer's fully-typed name, and the validity dates of the self-signed certificate.
To view additional information about the certificate, click Details.
The Details page displays information contained in the public key certificate on various tabs.
After you finish viewing the details, click Close, then click Cancel.
The self-signed certificate can be used for verifying the identity of the Organizational CA and the validity of a certificate signed by the Organizational CA.
From the Organizational CA's property page, you can view the certificates and properties associated with this object. From the self-signed certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications.
The self-signed certificate that resides in the Organizational CA is the same as the Trusted Root certificate in a server certificate object that has a certificate signed by the Organizational CA. Any service that recognizes the Organizational CA's self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Exporting the Organizational CAs certificate(s).
Start ConsoleOne.
Double-click the Organizational Certificate Authority object.
Click the Certificates tab.
Click the down-arrow to see the available certificates.
Click Self-Signed Certificate.
Click Export.
This opens a wizard that helps you export the certificate to a file.
When asked whether or not to export the private key, select No, then click Next.
Provide a filename and select a format that the certificate should be exported to (binary DER or text encoded base64).
Click Finish.
The certificate is saved to the file and is available to be imported into a cryptography-enabled application as the trusted root.
If you have minted a significant number of certificates using your Organizational CA, you might want to back up your Organizational CA's private key and certificates in case the Organizational CA's host server has an unrecoverable failure. If a failure should occur, you will be able to use the backup file to restore your Organizational CA to any server in the tree that has Certificate Server version 2.21 or higher installed.
NOTE: The ability to back up an Organizational CA is only available for Organizational CAs created with Certificate Server version 2.21 or later. In previous versions of Certificate Server, the Organizational CA's private key was created in a way that made exporting it impossible.
The backup file contains the CA's private key, self-signed certificate, public key certificate, and several other certificates necessary for it to operate. This information is stored in PKCS #12 format (also known as PFX).
The Organizational CA should be backed up when it is working properly.
To back up and restore and Organizational CA:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appopriate rights for this task, see Backing up and restoring an Organizational CA.
Start ConsoleOne.
Double-click on the Organization Certificate Authority object.
Click the Certificates tab.
Click the down-arrow to see the available certificates.
Click either the Self-Signed Certificate or the Public Key Certificate. Both certificates will be written to the file during the backup operation.
Click Export.
This opens a wizard that helps you export the certificates to a file.
When asked whether to export the private key, select Yes, then click Next.
Select the filename and the location for the backup file.
Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file.
Click Next.
Click Finish.
The encrypted backup file is written to the location specified. It is now ready to be stored in a secure location for emergency use.
IMPORTANT: The exported file should be put on a diskette or some other form of backup media and stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a vault to ensure that it is available when needed, but inaccessible to others.
If the Organizational CA object has been deleted or corrupted, or if the Organizational CA's host server has suffered an unrecoverable failure, the Organizational CA can be restored to full operation using a backup file created as described in Backing Up an Organizational CA .
The ability to restore an Organizational CA is only available in Certificate Server version 2.21 or later.
NOTE: If you were unable to make a backup of the Organizational CA, the Organizational CA might still be recovered if NICI 2.x is installed on the server and a backup was made of the NICI configuration information. With NetWare 6 or later, the NICI configuration information is backed up by default using a backup utility.
To restore the Organizational CA:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appopriate rights for this task, see Backing up and restoring an Organizational CA.
Start ConsoleOne.
Delete the Organizational CA object if it exists.
Right-click the Security container object, then click New > Object.
From the list box in the New Object dialog box, double-click NDSPKI:Certificate Authority.
This opens the Create an Organizational Certificate Authority Object dialog box and the corresponding wizard that creates the object.
In the creation dialog box, specify the server that should host the Organizational CA and the name of the Organizational CA object. The server specified must have Certificate Server version 2.21 or higher installed and be up and running.
Specify the Import option.
Click Next.
Click Read from File, then select the name of the backup file in the dialog box.
Click Next.
Enter the password used to encrypt the file when the backup was made.
Click Finish.
The Organizational CA's private key and certificates have now been restored and the CA is fully functional. The backup file can now be stored again for future use.
IMPORTANT: If the backup file is no longer needed, the file and the media it was stored on should be destroyed.
You can move your Organizational CA from one server to another by using the backup and restore procedures outlined in Backing Up an Organizational CA and Restoring an Organizational CA .
Make sure the Organizational CA is functional.
Back up the Organizational CA.
Delete the Organizational CA object.
Restore the Organizational CA to the desired server.
IMPORTANT: If the backup file is no longer needed, the file and the media it was stored on should be destroyed.
If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate using ConsoleOne. Any certificate in the NDS tree can be validated, including certificates issued by external CAs.
The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs. The certificate chain for a certificate signed by your Organizational CA is composed of one certificate, which is the Organizational CA's self-signed certificate. Externally signed user and server certificates might have longer chains.
A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension are checked for revocation.
A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information will be provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.
To validate a certificate:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Validating the Organizational CAs Certificates.
Start ConsoleOne.
Double-click the Organizational CA.
Click Certificates, then click Self-Signed Certificate or Public Key Certificate.
Click Validate.
The Certificate Validation screen appears, providing the status of the certificate. If the certificate is not valid, the reason is given. Click Details for information about the exact certificate that was considered invalid.
Click OK to exit or click Details, if applicable, to view more information.
The private key and certificates in the Organizational CA object can be replaced. They can only be replaced using a PFX file created during a backup of an Organizational CA. The key and certificates in the file need not match the ones in the object; the data in the file will overwrite the key and certificates in the object.
Replacing the private key and certificates in the Organizational CA object is a serious matter. If the key and certificates do not exactly match the ones in the object, it is the same as deleting the current Organizational CA and creating a new one. See the section Deleting the Organizational CA for more information on the consequences of deleting the Organizational CA.
If the key and certificates do match the ones in the object, replacing the Organizational CA will have no effect. If they match the key and certificates in a previous version of the Organizational CA, the only certificates adversely affected will be those signed by the CA whose key and certificates are being replaced. All of those certificates must be deleted and replaced with new ones signed by the new Organizational CA as described in the section Deleting the Organizational CA for more information.
To replace the private key and certificates on the Organizational CA object:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Replacing the Organizational CA.
Start ConsoleOne.
Double-click on the Organization Certificate Authority object.
Click the Certificates tab.
Click the down-arrow to see the available certificates.
Click either the Self-Signed Certificate or the Public Key Certificate.
The operation can be started from either page. It will replace both certificates as well as the private key.
Click Replace.
This opens a wizard that helps you specify the PFX file.
Click Read from File, then select the name of the backup file in the dialog box.
Click Next.
Enter the password used to encrypt the file when the backup was made.
Click Finish.
The Organizational CA's private key and certificates have now been replaced and the CA is fully functional. The backup file can be stored again for future use if desired.
IMPORTANT: If the backup file is no longer needed, the file and the media it was stored on should be destroyed.
Deleting the Organizational CA object should only be done if absolutely necessary or if you are restoring the Organizational CA from a backup (see Restoring an Organizational CA ). The only safe way to delete the object is to do a backup first so that it can be restored later.
However, there are times when the Organizational CA must be deleted and not restored. For example, when merging trees, only one Organizational CA can be in the resulting tree; the other CA must be deleted. Or, when the Organizational CA's host server has become irreparably damaged and no backup of the CA or the NICI configuration was made, the only option remaining is to delete the CA and to begin again.
If the Organizational CA object must be deleted, use the following steps:
Using ConsoleOne, delete all Server Certificate objects that hold certificates signed by the Organizational CA.
Using ConsoleOne, delete all user certificates signed by the Organizational CA.
NOTE: Some certificates may need to be archived to allow users to decrypt data at a later period.
The owners of any certificates issued to outside users or servers should be notified that the Organizational CA is being replaced.
Notify all external users, partners, and customers that the Organizational CA should no longer be trusted. The CA's certificate should be removed from lists of trusted authorities in applications, browsers, etc.
Using ConsoleOne, delete the Organizational CA object.
Create a new Organizational CA object.
Make a backup of the new Organizational CA.
Create new server certificates to replace each of those deleted in Step 1.
Create new user certificates, as needed, to replace those deleted in Step 2.
Issue new certificates for any outside users or servers to replace those invalidated in Step 3.
Publish the new Organizational CA's certificate and notify all external users, partners, and customers about the update.