Understanding the Novell Certificate Server

Novell Certificate ServerTM allows you to mint, issue, and manage digital certificates by creating a Security container object and an Organizational Certificate Authority (CA) object. The Organizational CA object enables secure data transmissions and is required for Web-related products such as NetWare Web Manager and NetWare Enterprise Web Server. The first eDirectory server will automatically create and physically store the Security container object and Organizational CA object for the entire eDirectory tree. Both objects are created and must remain at the top of the eDirectory tree.

Only one Organizational CA object can exist in an eDirectory tree. After the Organizational CA object is created on a server, it cannot be moved to another server. Deleting and re-creating an Organizational CA object invalidates any certificates associated with the Organizational CA.

IMPORTANT:  Make sure that the first eDirectory server is the server that you intend to permanently host the Organizational CA object and that the server will be a reliable, accessible, and continuing part of your network.

If this is not the first eDirectory server on the network, the installation program finds and references the eDirectory server that holds the Organizational CA object. The installation program accesses the Security container and creates a Server Certificate object.

If an Organizational CA object is not available on the network, Web-related products will not function.


Rights Required to Perform Tasks on Novell Certificate Server

To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table.

Novell Certificate Server Task Rights Required

Base security setup for installing the first server into a new tree or upgrading the first server in a tree where there is no base security previously installed

Supervisor right at the root of the tree

Supervisor right on the Security container

Base security setup for installing subsequent servers

Supervisor right on the server's container

Supervisor right on the W0 object (located inside the Security container)

Creating the Organizational CA

Supervisor right on the Security container

Creating Server Certificate objects

Supervisor right on the server's container

Read right to the NDSPKI:Private Key attribute on the Organizational CA's object

The root administrator can also delegate the authority to use the Organizational CA by assigning the following rights to subcontainer administrators. Subcontainer administrators require the following rights to install Novell eDirectory with SSL security:

These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the Novell Certificate Server online documentation.


Ensuring Secure eDirectory Operations on Linux, Solaris, AIX, and HP-UX Systems

eDirectory includes Public Key Cryptography Services (PKCS), which contains the Novell Certificate Server that provides Public Key Infrastructure (PKI) services, Novell International Cryptographic Infrastructure (NICI), and SAS*-SSL server.

The following sections provide information about performing secure eDirectory operations:

For information about using external certificate authority, refer to the Novell Certificate Server Administration Guide.


Verifying Whether NICI Is Installed and Initialized on the Server

Verify the following conditions, which indicate that the NICI module has been properly installed and initialized:

  • The file /etc/nici.cfg exists
  • The directory /var/novell/nici exists
  • The file /var/novell/nici/primenici exists

If these conditions are not met, follow the procedure in the next section, Initializing the NICI Module on the Server.


Initializing the NICI Module on the Server

  1. Stop the eDirectory server.

    • On Linux systems, enter

      /etc/rc.d/init.d/ndsd stop

    • On Solaris systems, enter

      /etc/init.d/ndsd stop

    • On AIX systems, enter

      /etc/rc.d/init.d/ndsd stop

    • On HP-UX systems, enter

      /sbin/init.d/ndsd stop

  2. Verify whether the NICI package is installed.

    • On Linux systems, enter

      rpm -qa | grep nici

    • On Solaris systems, enter

      pkginfo | grep NOVLniu0

    • On AIX systems, enter

      rpm -qa | grep nici

    • On HP-UX systems, enter

      swlist | grep NOVLniu0

  3. (Conditional) If the NICI package is not installed, install it now.

    You will not be able to proceed if the NICI package is not installed.

  4. Copy the .nfk file provided with the package to the /var/novell/nici directory.

    Execute the /var/novell/nici/primenici program.

  5. Start the eDirectory server.

    • On Linux systems, enter

      /etc/rc.d/init.d/ndsd start

    • On Solaris systems, enter

      /etc/init.d/ndsd start

    • On AIX systems, enter

      /etc/rc.d/init.d/ndsd start

    • On HP-UX systems, enter

      /sbin/init.d/ndsd start


Starting the Certificate Server (PKI Services)

To start PKI services, enter

npki -1.


Stopping the Certificate Server (PKI Services)

To stop PKI services, enter

npki -u.


Creating an Organizational Certificate Authority Object

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Creating an Organizational CA in the Novell Certificate Server Administration Guide.

  3. Click the Roles and Tasks button Roles and Tasks button, click PKI Certificate Management, then click Create Certificate Authority.

    This opens the Create Organizational Certificate Authority Object Wizard. Follow the prompts to create the object. For specific information on any of the wizard pages, click Help.

NOTE:  You can have only one Organizational CA for your eDirectory tree.


Creating a Server Certificate Object

Server Certificate objects are created in the container that holds the eDirectory Server object. Depending on your needs, you might create a separate Server Certificate object for each cryptography-enabled application on the server. Or you might create one Server Certificate object for all applications used on that server.

NOTE:  The terms Server Certificate Object and Key Material Object (KMO) are synonymous. The schema name of the eDirectory object is NDSPKI:Key Material.

  1. Launch Novell iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Creating Server Certificate Objects in the Novell Certificate Server Administration Guide.

  3. Click the Roles and Tasks button Roles and Tasks button, click PKI Certificate Management, then click Create Server Certificate.

    This opens the Create Server Certificate Wizard. Follow the prompts to create the object. For specific information on any of the wizard pages, click Help.


Exporting an Organizational CA's Self-Signed Certificate

A self-signed certificate can be used for verifying the identity of the Organizational CA and the validity of a certificate signed by the Organizational CA.

From the Organizational CA's property page, you can view the certificates and properties associated with this object. From the Self-Signed Certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications.

The self-signed certificate that resides in the Organizational CA is the same as the Trusted Root certificate in a Server Certificate object that has a certificate signed by the Organizational CA. Any service that recognizes the Organizational CA's self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA.

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click eDirectory Administration > Modify Object.

  3. Specify the name and context of an Organizational Certificate Authority object, then click OK.

    Organizational Certificate Authority objects are located in Security container.

  4. Click the Certificates tab, then click Self-Signed Certificate.

  5. Click Export.

    This opens the Export Certificate Wizard. Follow the prompts to export the certificate. For specific information on any of the wizard pages, click Help.

  6. On the Export Certificate Summary page, click Save the Exported Certificate to a File.

    The certificate is saved to a file and is available to be imported into a cryptography-enabled application as the trusted root.

  7. Click Close.

Include this file in all command line operations that establish secure connections to eDirectory