Certificate Server: basic overview and useful TIDs

  • 7003514
  • 11-Jun-2009
  • 26-Mar-2015

Environment

Novell eDirectory 8.8 for All Platforms
Novell Certificate Server (PKIS)
3.xThird party Certificates: Verisign, Thawte, GoDaddy, GeoTrust, Comodo, Entrust, RapidSSL, etc

Situation

SSL Certificates can be used to create trusted secure communications with SSL or TLS. Certificates are issued by a trusted source, who will verify that the certificate is in fact owned by the organization that claims it. Novell Certificate Server provides the ability to create, sign, and manage certificates. Novell Certificate Server documentation covers many topics, such as Certificate generation, expiration, revocation, deletion, public and private key usage, etc.


Resolution

What is a CA?

A Certificate Authority (CA) is an entity which issues digital certificates for use by other parties. It is an example of a trusted third party. The CA is the root of the trust structure in a Public Key Infrastructure (PKI) scheme. Novell provides a CA service in every eDirectory tree.

Some good TIDs about CA's:

7002949 - Unable to Create a new Organizational Certificate Authority

3090028 - How to configure eDirectory as a SubOrdinate CA

3618399 - How do I move the Organizational CA to another server?

3623407 - Certificate Server Issues-Removing a Server from a Tree


Why do I need an SSL certificate?

Browsers and other programs use certificates to generate secure communication links using SSL or TLS. eDirectory includes a Certificate Authority that can create and sign certificates. Each server in a eDirectory tree will have several associated certificates for use in managing secure communications.


Why would you want a third party certificate?

All modern browsers include a large number of well known trusted third party Certificate Authority public keys. Secure communications require that a certificate be validated before it is used to create a secure communication channel. This requires the public key from the signing Certificate Authority be used to validate the certificate. If you use a third party certificate from a well known third party, the browser will already have the required CA public key available, and be able to locally validate the key. Otherwise, you will get the well known security violation error. See TID 7000444 to learn more and resolve those errors with Novell CA signed certificates.


Why do certificates expire?

All certificates have expiration dates to ensure that the window of exposure, should the certificate be compromised, is limited. This leads to options for renewing, revoking, and validating certificates.

3305590 - How to renew an expired third party (i.e. Verisign) server certificate in eDirectory


How do I install 3rd party certificates?

Generally speaking, to use a third party certificate, you first generate a Certificate Signing Request (CSR), send it to the third party, they sign it, send it back to you, and you import it into eDirectory. To import a certificate in eDirectory, you need the base certificate with its public/private key pair, possibly an intermediate certificate authority, and the root CA signing authority. Different third party vendors return different data as part of the signed CSR. Some include the CA certificate, some expect you to get it yourself.

See TID 3033173 - How to import a Production VeriSign External Certificate into eDirectory using iManager for one example of how to do this.

Other related TIDs:

3920370 - How to import a Production VeriSign External Certificate into eDirectory 8.7.3 using ConsoleOne

3325584 -How to import an Evaluation VeriSign External Certificate into eDirectory 8.7.3

3452955 - How to import a VeriSign Certificate into SUSE Enterprise Server 9 not running eDirectory



How do I use certificates in a clustered or load balanced scenario?

It is possible to use one certificate with a wild card name field on multiple servers within an organization. This is especially useful for services hosted in a cluster or behind a L4 switch for load balancing.

TID 7006420 -How to Import an External CA Signed Wildcard certificate

 
For additional Certificate Server information and troubleshooting steps please visit https://www.netiq.com/documentation/
and select the Certificate Server documentation.  Section 5.0 contains a Troubleshooting section.