How to upgrade the Organizational Certificate Authority (CA)

  • 7010310
  • 15-Mar-2012
  • 30-Apr-2012

Environment

Novell eDirectory 8.7.3.9 for NetWare 6.5
Novell Certificate Server (PKIS) 2.75

Situation

Error: "CERTIFICATE AUTHORITY old and not exportable"
 
Organizational Certificate Authority certificates have expired

Error occurs when exporting the private key of the Certificate Authority
How to upgrade the Organizational Certificate Authority (CA)

Resolution

This TID descibes the steps involved in recreating an eDirectory tree's Root CA if using the older 1.x and 2.x versions of Certificate Server versions.  
 
For instructions on recreating the Root CA using the current version of Certificate Server, 3.x, please consult Section 3.2 "Creating an Organizational Certificate Authority Object" within the Novell Certificate Server 3.0 documentation found at: https://www.novell.com/documentation.
 
If the Certificate on the Organization CA object (found in the Security container) has expired, then you must delete and recreate the Organizational CA object following steps listed below.  Any dependant certificates will also need to be deleted and recreated.
Minimum requirements:

- Cerificate Authority Server (PKI.NLM). PKI 2.2.x or greater is recommended.
- NICI 2.x needs to be installed on the Certificate Authority Host Server  (NICI 2.6.1 or greater is recommended)

The minimum requirements will most likely be met if the CA has been created on a Novell NetWare 6.X server.
Steps to delete and re-create the Organizational CA?

- Use iManager or ConsoleOne to delete the object
- Find the Organizational CA.  It will be under the Security container which is under Root
- Delete the object
- Recreate the Object in ConsoleOne or iManager.  (The new object is type is "NDSPKI:Certificate Authority")
- Make sure you put in the same server object in the host name that was there before you deleted the object.  If you forget to put in a hostname, you will have to remove the object and do it again.  The ConsoleOne snapins will not allow you to put the name after the fact.

Additional Information

If an Organizational CA is created with PKI.NLM 1.x, the ability of exporting the private key or moving the Organizational CA to a new host server is not available.  The only way to get this functionality is to delete the existing Organizational CA and re-create it with the new PKI.NLM (version 2.x or greater)
Some Organizational CA objects were created with a validity period of only 2 years, instead of the more common 10 years.  This means they may expire while you are still using the server it was originally created on.
Q.   What happens when I delete the Organizational CA?

A.   Deleting the Organizational CA will remove your ability to sign certificates for any new server certificates you might create.
Conceptually, when you delete the Organizational CA, you are invalidating all certificates that were previously issued by the former Organizational CA.
But since each server certificate object (KMO) stores the complete certificate chain, services using server certificates will  continue to work.

The only certificates that need to contact the Organizational CA every time to validate, are user certificates.  For every user certificate that was created with the original Organizational CA, new certificates need to be created with the new Organizational CA and re-issued (exported and then imported into whatever application is consuming the certificates).

Q.  How do I get all of the new objects in the tree to read the new Organizational CA?

A.  Most objects don't need to be changed.  Listed below are common security components to consider.

- Simple Passwords and NMAS authentication methods
-- Leave them alone.  These were created using the tree key which is controlled through the Security | WO object.  They are not affected by the removal of the CA

-  KMO and SAS objects for servers in the tree
-- Although the KMO and SAS  objects are technically not valid with the Organizational CA, they are still completely operational until they expire.  When the KMO objects are created, they embed the information from the Organizational CA and from that point on, never contact the CA to validate certificates.  Because of this, there really is no need to remove them until they expire.

- User Certificates
-- These are invalid and need to be re-created.  In ConsoleOne, you can select multiple users, right click and modify multiple properties at once.  The certicates can be removed and new ones created at the same time.  You then will have to export a certificate for each user and re-import into whatever application requires the certificate.


Formerly known as TID# 10089041
Formerly known as TID# NOVL94020