Certificate Authority Tasks


Creating an Organizational Certificate Authority Object

This task is described in Chapter 2. See Creating an Organizational Certificate Authority Object.


Issuing a Public Key Certificate

This task allows you to generate certificates for cryptography-enabled applications that do not recognize Server Certificate objects.

Your Organizational CA works the same way as an external CA. That is, it has the ability to issue certificates from Certificate Signing Requests (CSRs). You can issue certificates using your Organizational CA when a user sends a CSR to you for signing. The user requesting the certificate can then take the issued certificate and import it directly into the cryptography-enabled application.

To issue a public key certificate:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Issue Certificate.

  4. Use the Browse button to locate a CSR file, open the file, then click Next.

  5. Specify the key type, the key usage, and the extended key usage, then click Next.

  6. Specify the certificate basic constraints, then click Next.

  7. Specify the subject name, the validity period, the effective and expiration dates, and any custom extensions, then click Next.

  8. Review the parameters sheet. If it is correct, click Finish. If not, click Back until you reach the point where you need to make changes.

    When you click Finish, a dialog box explains that a certificate has been created. You can save the certificate to the system clipboard in base64 format, to a base64-formatted file, or to a binary DER-formatted file. You can also click Details to view details about the issued certificate.


Viewing the Organizational CA's Properties

Besides the eDirectory rights and properties that can be viewed with any eDirectory object, you can also view properties specific to the Organizational CA, including the properties of the public key certificate and the self-signed certificate associated with it.

To view the Organizational CA's properties:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

    This brings up the property pages for the Organizational CA, which include a General page, a CRL Configuration page, and a Certificates page.

  4. Click the tabs you want to view.


Viewing an Organizational CA's Public Key Certificate Properties

To view the Organizational CA's public key certificate properties:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

    This brings up the property pages for the Organizational CA, which include a General page, a CRL Configuration page, a Certificates page, and other eDirectory-related pages.

  4. Click Certificates > Public Key Certificate.

  5. To view additional information about an installed public key certificate, click Details.

  6. Click Close.


Viewing the CA's Self-Signed Certificate Properties

To view the Organizational CA's self-signed certificate properties:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

    This brings up the property pages for the Organizational CA, which include a General page, a CRL Configuration page, and a Certificates page.

  4. Click Certificates > Self Signed Certificate.

  5. To view additional information about an installed public key certificate, click Details.

  6. Click Close.


Exporting the Organizational CA's Self-Signed Certificate

The self-signed certificate can be used for verifying the identity of the Organizational CA and the validity of a certificate signed by the Organizational CA.

From the Organizational CA's property page, you can view the certificates and properties associated with this object. From the self-signed certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications.

The self-signed certificate that resides in the Organizational CA is the same as the Trusted Root certificate in a server certificate object that has a certificate signed by the Organizational CA. Any service that recognizes the Organizational CA's self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA.

To export the Organizational CA's self-signed certificate:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

    This brings up the property pages for the Organizational CA, which include a General page, a CRL Configuration page, a Certificates page, and other eDirectory-related pages.

  4. Click Certificates > Self Signed Certificate.

  5. Click Export.

    This starts Certificate Export wizard. Follow the prompts to export the certificate.

  6. Click Finish.


Backing Up an Organizational CA

Novell recommends that you back up your Organizational CA's private key and certificates in case the Organizational CA's host server has an unrecoverable failure. If a failure should occur, you can use the backup file to restore your Organizational CA to any server in the tree that has Certificate Server version 2.21 or higher installed.

NOTE:  The ability to back up an Organizational CA is only available for Organizational CAs created with Certificate Server version 2.21 or later. In previous versions of Certificate Server, the Organizational CA's private key was created in a way that made exporting it impossible.

The backup file contains the CA's private key, self-signed certificate, public key certificate, and several other certificates necessary for it to operate. This information is stored in PKCS #12 format (also known as PFX).

The Organizational CA should be backed up when it is working properly.

To back up the Organizational CA:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

  4. Click Certificates, then click either the Self Signed Certificate or the Public Key Certificate. Both certificates are written to the file during the backup operation.

  5. Click Export.

    This opens a wizard that helps you export the certificates to a file.

  6. When asked whether to export the private key, select Yes, then click Next.

  7. Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file, then click Next.

  8. Click on the Save the exported certificate to a file link and provide the filename and the location for the backup file.

  9. Click Save.

  10. Click Close.

    The encrypted backup file is written to the location specified. It is now ready to be stored in a secure location for emergency use.

IMPORTANT:  The exported file should be put on a diskette or some other form of backup media and stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a safe place to ensure that it is available when needed, but inaccessible to others.


Restoring an Organizational CA

If the Organizational CA object has been deleted or corrupted, or if the Organizational CA's host server has suffered an unrecoverable failure, the Organizational CA can be restored to full operation using a backup file created as described in Backing Up an Organizational CA.

The ability to restore an Organizational CA is only available in Certificate Server version 2.21 or later.

NOTE:  If you were unable to make a backup of the Organizational CA, the Organizational CA might still be recovered if NICI 2.x is installed on the server and a backup was made of the NICI configuration information. With NetWare 6 or later, the NICI configuration information is backed up by default using a backup utility.

To restore the Organizational CA:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. (Conditional) If the Organizational CA object still exists, you need to delete it.

    1. From the Roles and Tasks menu, click eDirectory Administration > Delete Object.

    2. Browse to and click on the Organizational CA object.

    3. Click OK.

  4. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

    This opens the Create an Organizational Certificate Authority Object dialog box and the corresponding wizard that creates the object

  5. In the creation dialog box, specify the server that should host the Organizational CA and the name of the Organizational CA object. The server specified must have Certificate Server version 2.21 or higher installed and be up and running.

  6. Specify the Import option.

  7. Click Next.

  8. Click Read from File, then select the name of the back up file in the dialog box.

  9. Click Open.

  10. Enter the password used to encrypt the file when the backup was made.

  11. Click Finish.

    The Organizational CA's private key and certificates have now been restored and the CA is fully functional. The backup file can now be stored again for future use.

IMPORTANT:  Be sure to protect your backup media.


Moving the Organizational CA to a Different Server

You can move your Organizational CA from one server to another by using the backup and restore procedures outlined in Backing Up an Organizational CA and Restoring an Organizational CA.

  1. Make sure the Organizational CA is functional.

  2. Back up the Organizational CA.

  3. Delete the Organizational CA object.

  4. Restore the Organizational CA to the desired server.

IMPORTANT:  Be sure to protect your backup media.


Validating the Organizational CA's Certificates

If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate using iManager. Any certificate in the NDS tree can be validated, including certificates issued by external CAs.

The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs.

A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension are checked for revocation.

A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information will be provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.

To validate a certificate:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. From the Roles and Tasks menu, click Novell Certificate Server > Create Certificate Authority.

  4. Click Certificates, then click Public Key Certificate or Self Signed Certificate.

  5. Click Validate.

    The status of the certificate is reported in the Certificate Status field. If the certificate is not valid, the reason is given. Click Details for information about the exact certificate that was considered invalid.

  6. Click OK.


Deleting the Organizational CA

Deleting the Organizational CA object should only be done if absolutely necessary or if you are restoring the Organizational CA from a backup (see Restoring an Organizational CA). The only safe way to delete the object is to do a backup first so that it can be restored later.

However, there are times when the Organizational CA must be deleted and not restored. For example, when merging trees, only one Organizational CA can be in the resulting tree; the other CA must be deleted. Or, when the Organizational CA's host server has become irreparably damaged and no backup of the CA or the NICI configuration was made, the only option remaining is to delete the CA and to begin again.

To delete the Organizational CA object:

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.

  3. Back up the self signed certificate without the private key.

  4. Create a trusted root certificate using the self-signed certificate in the
    CN=trusted roots.CN=security container.

  5. From the Roles and Tasks menu, click eDirectory Administration > Delete Object.

  6. Browse to and click on the Organizational CA object.

  7. Click OK.