Novell Certificate Server has added support for a Subordinate Certificate Authority. This feature allows the Organizational CA to be subordinate to either a third-party CA or to a CA in another eDirectory tree. You still can have only one Organizational CA in your eDirectory tree.
The following are some of the reasons to have a Subordinate CA:
Allows the Organizational CA to become part of an existing third-party PKI
Allows multiple trees to share a common PKI Trusted Root (or Trust Anchor)
Allows for greater security of the Root CA by having the CA reside on a more secure system
Provides less risk by having the Root CA reside in a tree that is more tightly managed (for example, in a tree protected from rouge-administrators/users)
In order to create a Subordinate CA, you must first delete the existing Organizational CA (see Deleting the Organizational CA). You must already have a PKCS#12 file containing the public/private keys and the certificate chain for the Subordinate CA. You can either obtain this file directly from a third-party CA or use Section 3.3.2, Creating a PKCS#12 File for a Subordinate CA to learn how to create one. In order to create the Subordinate CA, connect to the tree in iManager and use the Configure Certificate Authority task, using the Import creation method.
Create a Server Certificate object (or KMO) and a PKCS#10 CSR.
Launch iManager.
From the Roles and Tasks menu, click Novell Certificate Server > Create Server Certificate.
Select the Server that will eventually host the CA, specify a certificate nickname, select the Custom creation method, then click Next.
Select External Certificate Authority, then click Next.
Select a Key size (2048 bit is recommended), make sure that Allow Private Key to Be Exported is selected, then click Next.
Click the Edit button under the Subject name and edit the Subject name to reflect the subordinate CA and tree, select the Signature algorithm (SHA-1 is currently recommended), then click Next.
Verify that the summary is correct, then click Finish.
Click Save Certificate Signing Request, then follow the prompts to save the CSR to a file.
Get the CSR signed to create a certificate.
If the Subordinate CA is to be part of a third-party PKI, have the third-party CA create the certificate from the CSR.
If the Subordinate CA is to be signed by a CA in another eDirectory tree, continue with Step 2.b.
Launch iManager.
From the Roles and Tasks menu, click Novell Certificate Server > Issue Certificate.
Select the file containing the CSR, then click Next.
Select a key type of Certificate Authority, deselect Include Extended Key Usage, then click Next.
Select the Certificate Authority Certificate type, select either the Unspecified or a Specific Path length, then click Next.
Verify the Subject name and edit it if necessary. Specify a Validity period (5-10 years is recommended), then click Next.
Select a format for the certificate, then click Next.
Click Download the Issued Certificate, then follow the prompts to save the certificate.
Acquire the CA certificates.
If the Subordinate CA is to be part of a third-party PKI, acquire the CA certificates from the third-party.
If the Subordinate CA is to signed by a CA in another eDirectory tree, continue with Step 3.b.
Launch iManager.
From the Roles and Tasks menu, click Novell Certificate Server > Configure Certificate Authority.
Click the Certificates tab, then select Self-Signed Certificate.
Click Export.
Do not export the private key and select a format for the certificate, then click Next.
Click Save the Exported Certificate to a File, then follow the prompts to save the certificate.
Import the certificates into the Server Certificate object (or KMO).
Launch iManager.
From the Roles and Tasks menu, click Directory Administration > Modify Object.
Select the Server Certificate object (or KMO) created in Step 1, then click OK.
Click the Certificates tab, then click Import.
Select the two files containing the certificates acquired in Step 2 and Step 3, then click OK.
Export the public/private keys to a PKCS#12 file.
Continuing from Step 4.e, click Export, choose to include the private key, then click Next.
Click Save the Exported Certificate to a File, then follow the prompts to save the PKCS#12 file.
Make a copy of this file and store it in a secure place along with the password.
(Optional) Delete the Server Certificate object (or KMO).