Novell Certificate ServerTM allows you to mint, issue, and manage digital certificates by creating a Security container object and an Organizational Certificate Authority (CA) object. The Organizational CA object enables secure data transmissions and is required for Web-related products such as NetWare Web Manager and NetWare Enterprise Web Server. The first eDirectory server will automatically create and physically store the Security container object and Organizational CA object for the entire eDirectory tree. Both objects are created and must remain at the top of the eDirectory tree.
Only one Organizational CA object can exist in an eDirectory tree. After the Organizational CA object is created on a server, it cannot be moved to another server. Deleting and re-creating an Organizational CA object invalidates any certificates associated with the Organizational CA.
IMPORTANT: Make sure that the first eDirectory server is the server that you intend to permanently host the Organizational CA object and that the server will be a reliable, accessible, and continuing part of your network.
If this is not the first eDirectory server on the network, the installation program finds and references the eDirectory server that holds the Organizational CA object. The installation program accesses the Security container and creates a Server Certificate object.
If an Organizational CA object is not available on the network, Web-related products will not function.
To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table.
The root administrator can also delegate the authority to use the Organizational CA by assigning the following rights to subcontainer administrators. Subcontainer administrators require the following rights to install Novell eDirectory with SSL security:
These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the Novell Certificate Server online documentation.
eDirectory includes Public Key Cryptography Services (PKCS), which contains the Novell Certificate Server that provides Public Key Infrastructure (PKI) services, Novell International Cryptographic Infrastructure (NICI), and SAS*-SSL server.
The following sections provide information about performing secure eDirectory operations:
For information about using external certificate authority, refer to the Novell Certificate Server Administration Guide.
Verify the following conditions, which indicate that the NICI module has been properly installed and initialized:
If these conditions are not met, follow the procedure in the next section, Initializing the NICI Module on the Server.
Stop the eDirectory server.
/etc/rc.d/init.d/ndsd stop
/etc/init.d/ndsd stop
/etc/rc.d/init.d/ndsd stop
/sbin/init.d/ndsd stop
Verify whether the NICI package is installed.
rpm -qa | grep nici
pkginfo | grep NOVLniu0
rpm -qa | grep nici
swlist | grep NOVLniu0
(Conditional) If the NICI package is not installed, install it now.
You will not be able to proceed if the NICI package is not installed.
Copy the .nfk file provided with the package to the /var/novell/nici directory.
Execute the /var/novell/nici/primenici program.
Start the eDirectory server.
/etc/rc.d/init.d/ndsd start
/etc/init.d/ndsd start
/etc/rc.d/init.d/ndsd start
/sbin/init.d/ndsd start
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Creating an Organizational CA in the Novell Certificate Server Administration Guide.
Click the Roles and Tasks button , click PKI Certificate Management, then click Create Certificate Authority.
This opens the Create Organizational Certificate Authority Object Wizard. Follow the prompts to create the object. For specific information on any of the wizard pages, click Help.
NOTE: You can have only one Organizational CA for your eDirectory tree.
Server Certificate objects are created in the container that holds the eDirectory Server object. Depending on your needs, you might create a separate Server Certificate object for each cryptography-enabled application on the server. Or you might create one Server Certificate object for all applications used on that server.
NOTE: The terms Server Certificate Object and Key Material Object (KMO) are synonymous. The schema name of the eDirectory object is NDSPKI:Key Material.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Creating Server Certificate Objects in the Novell Certificate Server Administration Guide.
Click the Roles and Tasks button , click PKI Certificate Management, then click Create Server Certificate.
This opens the Create Server Certificate Wizard. Follow the prompts to create the object. For specific information on any of the wizard pages, click Help.
A self-signed certificate can be used for verifying the identity of the Organizational CA and the validity of a certificate signed by the Organizational CA.
From the Organizational CA's property page, you can view the certificates and properties associated with this object. From the Self-Signed Certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications.
The self-signed certificate that resides in the Organizational CA is the same as the Trusted Root certificate in a Server Certificate object that has a certificate signed by the Organizational CA. Any service that recognizes the Organizational CA's self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA.
In Novell iManager, click the Roles and Tasks button .
Click eDirectory Administration > Modify Object.
Specify the name and context of an Organizational Certificate Authority object, then click OK.
Organizational Certificate Authority objects are located in Security container.
Click the Certificates tab, then click Self-Signed Certificate.
Click Export.
This opens the Export Certificate Wizard. Follow the prompts to export the certificate. For specific information on any of the wizard pages, click Help.
On the Export Certificate Summary page, click Save the Exported Certificate to a File.
The certificate is saved to a file and is available to be imported into a cryptography-enabled application as the trusted root.
Click Close.
Include this file in all command line operations that establish secure connections to eDirectory