This task is described in Chapter 2. See Creating Server Certificate Objects .
You import a public key certificate after you have created a certificate signing request (CSR) and the Certificate Authority (CA) has returned signed public key certificate to you.This task applies when you have created a Server Certificate object using the Custom option with the External CA signing option.
There are several ways in which the CA can return the certificate. Typically, the CA will either return one or more files each containing one certificate, or a file with multiple certificates in it. These files can be binary, DER-encoded files (.der, .cer, .crt., .p7b) or they can be textual, base64-encoded files (.cer, .b64).
If the file has multiple certificates in it, it must be in PKCS #7 format in order to be imported into a Server Certificate object. Additionally, the file must contain all of the certificates to be imported into the object (the root-level CA certificate, any intermediate CA certificates, and the server certificate).
If the CA returns multiple files to you as a result of signing the certificate, each file will contain a different certificate that must be imported into the Server Certificate object. If there are more than two files (one for the root-level CA, one or more for the intermediate CAs, and one for the server certificate), these files must be combined into a PKCS #7 file in order to be imported into a Server Certificate object.
There are several ways to create a PKCS #7 file. One way is to import all of the certificates into Internet Explorer. After they have been imported, the server certificate and all of the certificates in the certificate chain can be exported in PKCS #7 format using Internet Explorer.
Some CAs do not return a root-level CA certificate along with the server certificate. In order to obtain the root-level CA certificate, contact the CA provider directly or call Novell Support.
To import the certificates into a Server Certificate object:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Importing a public key certificate into a Server Certificate object.
Start ConsoleOne.
Double-click the Server Certificate object.
Click Import Certificates.
The Import Certificates button is available from either of the pages on the Certificates tab.
Click Import Certificates.
If all the certificates to be imported are in a single PKCS #7 file, check the No Trusted Root Available check box. Otherwise, do the following:
Click Next.
Indicate the location of the public key certificate you received from the Certificate Authority (CA).
The public key certificate can be imported either by pasting it into the dialog box or by reading it from a file using the same procedure described in Step 5.
Click Finish.
This stores all of the certificates entered into the wizard in the Server Certificate object. The Certificate property page now displays the distinguished names of the subject and issuer of the indicated certificate as well as the validity period of the certificate.
To view the details of your newly installed public key certificate, click Details. Click Help for further information about the certificate details page.
Click Close, then click Cancel.
The Server Certificate object is now ready to be used by any cryptography-enabled application.
You export a certificate to a file for the following reasons:
You can export the certificate in two file formats: DER-encoded (.der) and Base64-encoded (.b64). The .crt extension can also be used for DER-encoded certificates. You can also export to the system clipboard in Base64 format so that it can be pasted directly into a cryptography-enabled application.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Exporting a Trusted Root or Public Key Certificate from a Server Certificate object.
Using ConsoleOne, double-click the Server Certificate object that the particular application is configured to use.
Click Certificates, and click the certificate you want to export.
Click Export.
This opens a wizard that helps you export the certificate to a file.
When asked whether or not to export the private key, click No, then click Next.
Provide a filename and select a format that the certificate should be exported to (binary DER or text encoded base64).
Click Finish.
Use the file as needed.
For example, if you want to install a trusted root certificate in an Internet Explorer 5.x browser, double-click the file. This initiates a wizard that will accept the CA as a trusted root. Accepting the CA as a trusted root means that the browser will automatically accept SSL connections with services that use certificates issued by this CA.
You should delete a Server Certificate object if you suspect that the private key has been compromised, if you no longer want to use the key pair, or if the trusted root in the Server Certificate object is no longer trusted.
IMPORTANT: After the Server Certificate object is deleted, you will not be able to recover it unless you have previously made a backup. Before you delete this object, make sure that no cryptography-enabled applications still need to use it.You can re-create a Server Certificate Object, but you will need to reconfigure any applications that referenced the old object.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Deleting a Server Certificate object.
Start ConsoleOne.
Select the Server Certificate object that you want to delete.
Press the Delete key, then click Yes.
In addition to the eDirectory rights and properties that are viewable with any eDirectory object, you can also view properties specific to the Server Certificate object, including the properties of the public key certificate and the trusted root certificate associated with it, if they exist.
These properties provide you with the information you need to perform any task related to this object.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Viewing the Server Certificate objects properties and certificates.
Start ConsoleOne.
Double-click the Server Certificate object.
This brings up the property pages for the Server Certificate Object, including a General page, a Certificates page, and property pages related to eDirectory.
Click each tab that you want to view.
Click Cancel.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Viewing the Server Certificate objects properties and certificates.
Start ConsoleOne.
Double-click the Server Certificate object containing the public key certificate that you want to view.
Click the Certificates tab.
Click the down-arrow to see the certificates available to view.
Click Public Key Certificate.
To view additional information about a public key certificate, click Details.
The Details page has various tabs displaying information contained in the public key certificate.
After you finish viewing the details, click Close > Cancel.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Viewing the Server Certificate objects properties and certificates.
Start ConsoleOne.
Double-click the Server Certificate object containing the trusted root certificate that you want to view.
Click the Certificates tab.
Click the down-arrow to see the certificates available to view.
Click the Trusted Root Certificate.
To view additional information about an installed trusted root certificate, click Details.
The Details page has various tabs displaying information contained in the trusted root certificate.
After you finish viewing the details, click Close, then click Cancel.
Novell Certificate Server allows you to store certificates signed by third-party Certificate Authorities in server certificate objects. Often these certificates cost a significant amount of money. Unfortunately, if an unrecoverable failure happens on the server that owns the certificates, the server certificate object can no longer be used. In order to protect against such failures, you might want to back up server certificates signed by external CAs and their associated private keys. Then, if a failure should occur, you will be able to use the backup file to restore your server certificate object to any server in the tree that has Certificate Server version 2.21 or higher installed.
NOTE: The ability to back up a server certificate object is only available for objects created with Certificate server version 2.21 or later. In previous versions of Certificate Server, the server's private key was created in a way that made exporting it impossible.
The backup file contains the server's private key, public key certificate, trusted root certificate, and any intermediate CA certificates stored. This information is stored in PKCS #12 format (also known as PFX).
A server certificate object should be backed up when it is working properly. The process is as follows:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Backing up and restoring a Server Certificate object.
Start ConsoleOne.
Double-click the server certificate object.
Click the Certificates tab.
Click the down-arrow to see the available certificates.
Click either the Trusted Root Certificate or the Public Key Certificate. Both certificates will be written to the file during the backup operation.
Click Export.
This opens a wizard that helps you export the certificates to a file.
When asked whether to export the private key, select Yes, then click Next.
Select the filename and the location for the backup file.
Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file.
Click Next.
Click Finish.
The encrypted backup file is written to the location specified. It is now ready to be stored in a secure location for emergency use.
IMPORTANT: The exported file should be put on a diskette or some other form of backup media and stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a vault to ensure that it is available when needed, but inaccessible to others.
If the Server Certificate object has been deleted or corrupted, or if the server that owned the Server Certificate object has suffered an unrecoverable failure, the object can be restored to full operation using a backup file created as described in Backing Up a Server Certificate Object .
NOTE: The ability to restore a Server Certificate object is only available in Certificate Server version 2.21 or later.
NOTE: If you were unable to make a backup of the server certificate object, the server certificate object may still be usable if NICI 2.x is installed on the server and a backup was made of the NICI configuration information. See the NICI documentation for information on how to back up and restore the NICI configuration files.
To restore the server certificate object:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Backing up and restoring a Server Certificate object.
Start ConsoleOne.
Delete the old server certificate object.
Right-click the container object and click New > Object.
From the list box in the New Object dialog box, double-click NDSPKI:Key Material.
This opens the Create a Server Certificate Object dialog box and the corresponding wizard that creates the object.
In the creation dialog box, specify the server that should own the server certificate object and the key pair name of the server certificate. The server specified must have Certificate Server version 2.21 or higher installed and be up and running.
Specify the Import option.
Click Next.
Click Read from File, then select the name of the backup file in the dialog.
Click Next.
Enter the password used to encrypt the file when the backup was made.
Click Finish.
The server's private key and certificates have now been restored and the server certificate object is fully functional. The backup file can now be stored again for future use if desired.
IMPORTANT: If the backup file is no longer needed, the file and the media that it was stored on should be destroyed.
You can set up server certificate objects in a clustered environment to ensure that your cryptography-enabled applications that use server certificate objects will always have access to them. Using the backup and restore feature for server certificate objects, you can duplicate the object's keying material from one node in the cluster to all nodes. Keying material signed by an external CA saves you money by allowing you to duplicate the keying material for one server certificate rather than requiring new keying material for every node in the cluster.
To set up server certificates to work in a clustered environment:
Create a server certificate on a server in the cluster using either the Organizational CA or an external CA of your choice. See Creating Server Certificate Objects .
When you create the server certificate objects, the Common Name (CN) portion of the certificate's subject nam should be an IP or DNS name that is specific to the service. Otherwise, you will receive a browser warning message indicating that the IP or DNS name on the URL does not match that in the certificate.
NOTE: If different services have different IP or DNS addresses, you will need to create a server certificate for each service.
Back up the keying material for this server certificate object and restore it by creating a server certificate object with the identical key pair name as the first on all remaining servers in the cluster. See Backing Up a Server Certificate Object .
If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate using ConsoleOne. Any certificate in the eDirectory tree can be validated, including certificates issued by external CAs.
The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs. The certificate chain for a certificate signed by your Organizational CA is composed of one certificate, which is the Organizational CA's self-signed certificate. Externally signed user and server certificates might have longer chains.
A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension are checked for revocation.
A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information is provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.
To validate a certificate:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropropriate rights for this task, see Validating Server Certificates.
Start ConsoleOne.
Double-click the Server certificate object that contains the certificate you want to validate.
Click Certificates, then click Trusted Root Certificate or Public Key Certificate.
Click Validate.
The Certificate Validation screen appears, providing the status of the certificate. If the certificate is not valid, the reason is given. Click Details for information about the exact certificate that was considered invalid.
You can move a Server Certificate Object from one server to another by using the backup and restore procedures outlined in Backing Up a Server Certificate Object and Restoring a Server Certificate Object .
Make sure the Server Certificate Object is functional.
Back up the Server Certificate Object.
Restore the Server Certificate Object to the desired server.
IMPORTANT: If the backup file is no longer needed, the file and the media that it was stored on should be destroyed.
The private key and certificates in the server certificate object can be replaced. They should only be replaced using a PFX file created during a backup of a server certificate object. Externally generated PFX files can also be used if they contain the private key, the server certificate, and the entire certificate chain. The key and certificates in the file need not match the ones in the object; the data in the file will overwrite the key and certificates in the object.
Replacing the private key and certificates in the server certificate object is a serious matter. If the key and certificates do not exactly match the ones in the object, it is the same as deleting the current server certificate object and creating a new one. See the section Deleting a Server Certificate Object for more information on the consequences of deleting the object.
If the key and certificates do match the ones in the object, replacing the keying material will have no effect except to regenerate a few attributes used by the Secure Authentication Services (SAS) and NILE services.
To replace the keying material on the server certificate object:
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropropriate rights for this task, see Replacing a server certificates keying material.
Start ConsoleOne.
Double-click the server certificate object.
Click the Certificates tab.
Click the down-arrow to see the available certificates.
Click either the Trusted Root Certificate or the Public Key Certificate.
The operation can be started from either page. It will replace both certificates as well as the private key and any other certificates in the certificate chain.
Click Replace.
This opens a wizard that helps you specify the PFX file.
Click Read from File, then select the name of the backup file in the dialog.
Click Next.
Enter the password used to encrypt the file when the backup was made.
Click Finish.
The server's private key and certificates have now been replaced and the CA is fully functional. The backup file can be stored again for future use if desired.
IMPORTANT: If the backup file is no longer needed, the file and the media that it was stored on should be destroyed.