Novell Home

My Favorites

Close

Please to see your favorites.

How to upgrade the Organizational Certificate Authority (CA)

(Last modified: 02Feb2004)

This document (10089041) is provided subject to the disclaimer at the end of this document.

goal

How to upgrade the Organizational Certificate Authority (CA)

symptom

Error: "CERTIFICATE AUTHORITY old and not exportable"

Organizational Certificate Authority certificates have expired

Error occurs when exporting the private key of the Certificate Authority

cause

If an Organizational CA is created with PKI.NLM 1.x, the ability of exporting the private key or moving the Organizational CA to a new host server is not available.  The only way to get this functionality is to delete the existing Organizational CA and re-create it with the new PKI.NLM (version 2.x or greater)

Some Organizational CA objects were created with a validity period of only 2 years, instead of the more common 10 years.  This means they may expire while you are still using the server it was originally created on.

fix

If the Certificate on the Organization CA object (found in the Security container) has expired, then you must delete and recreate the Organizational CA object following steps listed below.  Any dependant certificates will also need to be deleted and recreated.

Minimum requirements:

- Cerificate Authority Server (PKI.NLM). PKI 2.2.x or greater is recommended.
- NICI 2.x needs to be installed on the Certificate Authority Host Server  (NICI 2.6.1 or greater is recommended)

The minimum requirements will most likely be met if the CA has been created on a Novell NetWare 6.X server.

Steps to delete and re-create the Organizational CA?

- Use iManager or ConsoleOne to delete the object
- Find the Organizational CA.  It will be under the Security container which is under Root
- Delete the object
- Recreate the Object in ConsoleOne or iManager.  (The new object is type is "NDSPKI:Certificate Authority")
- Make sure you put in the same server object in the host name that was there before you deleted the object.  If you forget to put in a hostname, you will have to remove the object and do it again.  The ConsoleOne snapins will not allow you to put the name after the fact.

note

Q.   What happens when I delete the Organizational CA?

A.   Deleting the Organizational CA will remove your ability to sign certificates for any new server certificates you might create.
Conceptually, when you delete the Organizational CA, you are invalidating all certificates that were previously issued by the former Organizational CA.
But since each server certificate object (KMO) stores the complete certificate chain, services using server certificates will  continue to work.

The only certificates that need to contact the Organizational CA every time to validate, are user certificates.  For every user certificate that was created with the original Organizational CA, new certificates need to be created with the new Organizational CA and re-issued (exported and then imported into whatever application is consuming the certificates).

Q.  How do I get all of the new objects in the tree to read the new Organizational CA?

A.  Most objects don't need to be changed.  Listed below are common security components to consider.

- Simple Passwords and NMAS authentication methods
-- Leave them alone.  These were created using the tree key which is controlled through the Security | WO object.  They are not affected by the removal of the CA

-  KMO and SAS objects for servers in the tree
-- Although the KMO and SAS  objects are technically not valid with the Organizational CA, they are still completely operational until they expire.  When the KMO objects are created, they embed the information from the Organizational CA and from that point on, never contact the CA to validate certificates.  Because of this, there really is no need to remove them until they expire.

- User Certificates
-- These are invalid and need to be re-created.  In ConsoleOne, you can select multiple users, right click and modify multiple properties at once.  The certicates can be removed and new ones created at the same time.  You then will have to export a certificate for each user and re-import into whatever application requires the certificate.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10089041
  • Solution ID: NOVL94020
  • Creation Date: 24Nov2003
  • Modified Date: 02Feb2004
    • NovellNetWare

      eDirectory

      Security Components

Did this document solve your problem? Provide Feedback