PKIDiag can NOT repair NetWare 6.5 AG Server Certificates

  • 3031165
  • 28-Feb-2007
  • 30-Apr-2012

Environment

Novell NetWare 6.5
Novell Certificate Server
PKIDIAG.NLM Version 2.40.01 May 9, 2002

Situation

  • The PKIDIAG Version 2.40.01 repair process can NOT process any AG default server certificates
  • The repair process will loop on writing the following error message into the"SYS:\ETC\CERTSERV\REPAIR.LOG" file:

    "PROBLEM: The KMO 'IP AG 192\.168\.100\.10 - NW65SERV.NOVELL' does not have the right naming convention.
    UNFIXABLE: !!! This utility cannot fix this kind of problem !!!"

Resolution

  • Stop PKIDIAG while looping by using the following command at the NetWare server system console: "exec unload pkidiag"
  • Use iManager 2.6 with CertServerPlugins Version 3.201.20061116 instead of PKIDIAG.
    PKIDIAG functionality has been ported over to iManager and will allow you to create all default certificates for mutiple dIrectory servers (all platforms) at the same time if required.

Additional Information

Currently PKIDIAG.NLM Version 2.40.01 May 9, 2002 included in PKIDIAG1.EXE does NOT recognize the new server certificate objects (or KMOs) with escaped characters that are created by default when either NetWare 6.5 is installed or Certificate Server version 2.5.2 is installed

With NetWare 6.5 (and eDir 8.7 SP1) Certificate server will attempt to create certificates for all of the IP and DNS addresses configured on the box (i.e. there could be more certificates than you are currently seeing based on the number of addresses configured for the box). These new certificates will be named DNS AG... and IP AG... where the "..." is either the DNS or the IP address (AG stands for Auto Generated).
The two requirements for NetWare 6.5 were to create certificates for each of the IP and DNS addresses and to make the certificate subject name easily recognizable. This has been done using a naming convention that includes the address in the name.Because many directory applications use dot separators for names, the dots in the IP and DNS addresses will appear as escaped characters when viewed with these applications.

COPY OF EXCERPT FROM SYS:\ETC\CERTSERV\REPAIR.LOG

---------------------------------------------------------------------------
NPKIRepair Starting (Check the end of the log for the last repair results)
Current Time: Wed Aug 20 10:22:14 2003
User logged-in as: admin.novell.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'NW65SERV'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'NW65SERV.NOVELL' points to SAS Service object 'SAS Service - NW65SERV.NOVELL'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - NW65SERV.NOVELL' is backlinked to server 'NW65SERV.NOVELL'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - NW65SERV.NOVELL'.
--->KMO IP AG 192\.168\.100\.10 - NW65SERV.NOVELL is linked.
PROBLEM: The KMO 'IP AG 192\.168\.100\.10 - NW65SERV.NOVELL' does not have the right naming convention.
UNFIXABLE: !!! This utility cannot fix this kind of problem !!!
--->KMO IP AG 192\.168\.100\.10 - NW65SERV.NOVELL is linked.
PROBLEM: The KMO 'IP AG 192\.168\.100\.10 - NW65SERV.NOVELL' does not have the right naming convention.
UNFIXABLE: !!! This utility cannot fix this kind of problem !!!
--->KMO IP AG 192\.168\.100\.10 - NW65SERV.NOVELL is linked.
PROBLEM: The KMO 'IP AG 192\.168\.100\.10 - NW65SERV.NOVELL' does not have the right naming convention.
UNFIXABLE: !!! This utility cannot fix this kind of problem !!!
.
.
.
--->KMO IP AG 192\.168\.100\.10 - NW65SERV.NOVELL is linked.
PROBLEM: The KMO 'IP AG 192\.168\.100\.10 - NW65SERV.NOVELL' does not have the right naming convention.
UNFIXABLE: !!! This utility cannot fix this kind of problem !!!
--->KMO IP AG 192\.168\.100\.10 - NW65SERV.NOVELL is linked.
PROBLEM: The KMO 'IP AG 192\.168\.100\.10 - NW65SERV.NOVELL' does not have the right naming convention.
UNFIXABLE: !!! This utility cannot fix this kind of problem !!!

Formerly known as TID# 10086584