23.2 Setting Up Certificate Management

Use the information in the following sections to help you set up certificate management as you install OES.

23.2.1 Setting Up Automatic Certificate Maintenance

To set up your server so that HTTPS services use eDirectory certificates, you must specify the Use eDirectory Certificates for HTTP Services option while installing or upgrading eDirectory.

This installs eDirectory keys and certificates on the server, but it does not configure the server to automatically replace the certificates when they expire. Automatic maintenance requires that Server Self-Provisioning be enabled as follows:

  1. On the server you are configuring, in iManager > Roles and Tasks, click the NetIQ Certificate Server > Configure Certificate Authority option.

  2. Click Enable server self-provisioning.

    This causes automatic certificate replacement for the conditions described in PKI Health Check.

    IMPORTANT:If you enable Server Self-Provisioning in an OES tree and you have created a CRL configuration object but not yet configured any CRL distribution points, the PKI Health Check might replace the default certificates every time it runs.

    To avoid this, you can either

    • Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points by using iManager's Configure Certificate Authority task.

      or

    • Delete any CRL Configuration objects, for example CN=One - Configuration.CN=CRL Container.CN=Security.

  3. If you also want the CA certificate to be replaced if it changes or expires, click the Health Check - Force default certificate creation/update on CA change option.

23.2.2 Eliminating Browser Certificate Errors

Because the Internet Explorer and Mozilla Firefox browsers don’t trust eDirectory certificate authorities by default, attempts to establish a secure connection with OES servers often generate certificate errors or warnings.

These are eliminated by importing the eDirectory tree CA’s self-signed certificate into the browsers.

Complete the instructions in the following sections as applicable to your network.

Exporting the CA’s Self-Signed Certificate

  1. Launch Novell iManager.

  2. Log into the eDirectory tree as the Admin user.

  3. Select the Roles and Tasks menu, then click NetIQ Certificate Server > Configure Certificate Authority.

  4. Click the Certificates tab, then select the self-signed certificate.

  5. Click Export.

  6. Deselect Export Private Key.

    The Export Format changes to DER.

  7. Click Next.

  8. Click Save the Exported Certificate and save the file to the local disk, noting the filename and location if they are indicated.

  9. Click Close > OK.

  10. Find the file you just saved. By default it is usually on the desktop.

  11. Complete the instructions in the follow sections that apply to your browsers.

Importing the CA Certificate into Mozilla Firefox on Linux

  1. Launch Firefox.

  2. Click Edit > Preferences > Advanced.

  3. Select the Encryption tab.

  4. Click View Certificates.

  5. Select the Authorities tab, then click Import.

  6. Browse to the certificate file you downloaded in Exporting the CA’s Self-Signed Certificate and click Open.

  7. Select Trust this CA to identify Web sites, then click OK > OK > Close.

    Firefox now trusts certificates from the servers in the tree.

Importing the CA Certificate into Mozilla Firefox on Windows

  1. Launch Firefox.

  2. Click Tools > Options > Advanced.

  3. Select the Encryption tab.

  4. Click View Certificates.

  5. Select the Authorities tab, then click Import.

  6. Browse to the certificate file you downloaded in Exporting the CA’s Self-Signed Certificate and click Open.

  7. Select Trust this CA to identify Web sites, then click OK > OK > OK.

    Firefox now trusts certificates from the servers in the tree.

Importing the CA Certificate into Internet Explorer

  1. Launch Internet Explorer.

  2. Click Tools > Internet Options.

  3. Select the Content tab.

  4. Click Certificates.

  5. Click Import.

    The Certificate Import Wizard launches.

  6. Click Next.

  7. Click Browse,

  8. In the Files of Type drop-down list, select All Files(*.*), browse to the file you downloaded in Exporting the CA’s Self-Signed Certificate, then click Open.

  9. Click Next.

  10. Click Next.

    Choose the default, Automatically select the certificate store based on the type of certificate.

  11. Click Finish > Yes > OK.

    Internet Explorer now trusts certificates from the servers in the tree.