8.1 Server Certificates Changes in OES 11 and Later

The Server Certificates service can create certificates for eDirectory services to use when you install the operating system. In addition, custom certificates can be created after the install by using Novell iManager or command line commands.

8.1.1 Using eDirectory Server Certificates in a Cluster

In a NetWare cluster, you might have copied the Server Certificate objects to all nodes in the cluster using backup and restore functions for Server Certificate objects. This functionality is also available for OES clusters. You can use the backup and restore feature for Server Certificate objects to duplicate the object’s keying material from one node on the cluster to all nodes.

For information about setting up server certificates in a Novell Cluster Services cluster, see the following sections of the NetIQ Certificate Server Administration Guide:

8.1.2 Using eDirectory Server Certificates for HTTPS Services

For NetWare, all applications are integrated with eDirectory. This allows applications to automatically use the server certificates created by Certificate Server directly from eDirectory. However, for OES, many native Linux applications (such as Apache and Tomcat) are not integrated with eDirectory and therefore, cannot automatically use the certificates created by Certificate Server directly from eDirectory. By default, these services use the self-signed common server certificate created by YaST:

  • Certificate file: /etc/ssl/servercerts/servercert.pem

  • Key file: /etc/ssl/servercerts/serverkey.pem

Self-signed certificates provide minimal security and limited trust, and are not in compliance with the X.509 requirements as specified in RFC 2459 and RFC 3280. We recommend that you use eDirectory certificates instead.

NetIQ Certificate Server offers an install option for eDirectory called Use eDirectory Certificates for HTTPS Services. It is selected by default. It automatically replaces the existing server certificate and key files (YaST or third-party) with an eDirectory server certificate and key files. It exports the default eDirectory certificate SSL Certificate DNS and its key pair to the local file system in the following files:

  • Certificate file: /etc/ssl/servercerts/eDircert.pem

  • Key file: /etc/ssl/servercerts/eDirkey.pem