Novell Home

My Favorites

Close

Please to see your favorites.

Backing up and Moving the Tree Certificate Authority

(Last modified: 19Jan2004)

This document (10071751) is provided subject to the disclaimer at the end of this document.

goal

Backing up and Moving the Tree Certificate Authority

fact

NetWare 6

NW6SP1

eDirectory 8.6.2

Certificate Server

note

With NetWare 6 you now have the ability to export the private key of the CA. This means that you can restore the CA from this file maintaining the same private key so all your other certificates in the tree remain valid. In the past you would have had to re-create all certificates in the tree after creating a new CA.

 

This is supported with Certificate Server v 2.21 or better. The versions of certificate server shipping with NetWare/eDir are the following:

 

eDir 8.6.x Solaris/Linux: CertServer 2.20

NetWare 6.0: CertServer 2.21

eDir 8.6.x NetWare/NT: CertServer 2.23

 

Therefore, backup and restore of the CA is supported with NetWare 6.0 (and above) and 8.6.x (and above) on NetWare and NT. It is not yet supported on Unix. You can only export the CA if it was created with Certificate Server v2.21 or later. This is because versions prior to v2.21 did not set the CA's private key to be extractable from NICI. Thus, for example, if you upgraded from NetWare 5.1 or from eDir 8.5.x and you did not recreate the CA with version 2.21 of Certificate Server or better, it will not be exportable.

fix

Exporting/Backing up the CA

  • Open up ConsoleOne on a workstation logged into the tree.
  • Browse to the Security object (right under the root of the tree).  The tree CA is contained by the Security object, it will be named “TREE-NAME Organizational CA”. Open the properties of that object.
  • Click on the Certificates tab then the Export button.
  • Click yes to export the private key, choose a file name and location for the certificate, enter a password to lock the file, then click finish.

You have now backed up the tree's Organization CA, you may want to copy it onto a disk or burn it to a CD/DVD and put it somewhere safe when complete. This can be used to restore the CA at a later point.

 

 

Moving/Restoring the CA

  • Open up ConsoleOne on a workstation logged into the tree.
  • On the destination server open up NWCONFIG and verify that Certificate Server is installed, if not install it from the NetWare 6 CD.
  • Browse to the Security object (right under the root of the tree).
  • Delete the Organizational CA object; it will be named “TREE-NAME Organizational CA”.
  • Right click the Security container, click New then Object. Create a new NDSPKI:Certificate Authority object. Browse and select the destination server as the host server.
  • Name the object “MY-TREE Organizational CA”.
  • Select the import option and click next. Select Read From File and browse to the CA file that you previously exported, click next.
  • Enter the password that you assigned to the file and click finish.
  • Open the properties of the new CA object and click Validate under the Certificates tab to ensure the certificate is valid.

You can also open the properties of other Certificate objects in the tree and test the validity. Those certificates do not have to be re-created, they should work just fine.

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10071751
  • Solution ID: NOVL80204
  • Creation Date: 06Jun2002
  • Modified Date: 19Jan2004
    • NovellNetWare

Did this document solve your problem? Provide Feedback