Environment
Novell eDirectory
NetIQ iManager
NetIQ iManager
Situation
How to create / generate a self-signed certificate with a custom Signature algorithm (SHA 2, etc.)
How to change LDAP Encryption Method
How to change LDAP Encryption Method
Resolution
You can create a custom eDirectory LDAP certificate by completing the following steps:
- Create the self-signed certificate:
- Authenticate to iManager
- Under the Roles and Tasks section click on NetIQ Certificate Server
- Click Create Server Certificate
- Select which LDAP server that will own the server certificate
- Enter a Nickname for the certificate
- Under Creation method - select Custom (User Specifies Parameters)
- Click Next
- Select how to have the Certificate signed. To have the TREE CA sign, please select the Organizational Certificate Authority Option
- Click Next
- Take the default options, unless other customization is needed
- Click Next
- Click the drop down for the Signature algorithm and select the preferred option (i.e. SHA 256-RSA (SHA2))
- Take the defaults for all of the options unless otherwise needed
- Click Next
- Select where to place the certificate in the TREE (i.e. Your organization's certificate)
- Click Next
- Look over the parameters, if all looks good - Click Finish
- Click Close
- Implement the certificate created above with the intended LDAP Server:
- Assign the certificate to the LDAP server in iManager:
- Click the View Objects tab (Magnify Glass)
- Navigate and Click your LDAP server object
- In the pop up window Click Modify Object
- Click the Connections Tab
- Click the Server Certificate Magnify Glass
- In the pop up window Click drop down and select the new custom cert
- Click OK
- Click Apply
- Refresh / restart the ldap server so the newly assigned certificate is loaded. Please refer to documentation:
https://www.netiq.com/documentation/edir88/edir88/data/ahu1b5m.html) - (optional) To verify the new certificate has been loaded, please type the following command on a Linux server:
echo | openssl s_client -connect ldapserveraddress:636 2>/dev/null | openssl x509 -text
Note: Refer to the additional info on what this output could look like.
Additional Information
Here is example output from verification step 3 above:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:14:e1:6e:79:9d:06:a1:13:e6:59:eb:fd:63:e9:61:fa:b0:76:0e:87:a7 :f4:4b:34:95:1c:64:a4:02:03:38:5c:dd:0b:c3
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=TREENAME, OU=Organizational CA
Validity
Not Before: Sep 22 17:20:00 2016 GMT
Not After : Sep 22 17:20:00 2018 GMT
Subject: O=SNIELSON2_TREE, CN=sNIelson2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:99:8f:9e:9e:9f:eb:10:82:5b:dc:a6:2b:d7:5a:
5e:5f:d6:f5:b8:77:99:86:97:23:b2:11:21:80:da:
1e:be:06:da:ee:46:83:24:43:ff:ca:c5:95:0f:ff:
82:28:20:b8:b0:61:1a:e8:cd:40:9e:a1:09:b7:99:
4d:e8:74:ff:89:c8:7c:ea:41:3c:2f:9d:a5:9d:4e:
10:fa:a5:63:ee:23:0b:a3:10:78:9a:ff:3e:fc:63:
e9:b6:c6:08:30:12:f1:c4:5f:28:0c:dc:ce:5f:dd:
3b:00:0d:e8:19:f1:b0:da:b5:7c:5e:57:f9:25:b0:
53:ad:2b:02:ad:b4:0e:df:93:b5:77:fc:86:6f:58:
2b:25:2b:3d:72:fc:9e:76:22:3e:95:aa:fd:b2:f6:
50:17:91:72:e2:44:68:66:30:27:1a:98:88:cc:1c:
b0:23:db:18:29:98:07:46:e6:fb:72:b3:46:b5:a2:
62:9e:7b:6e:a1:49:fe:d6:42:ae:30:46:37:7f:87:
2c:67:c2:45:29:fe:2c:6f:02:bc:6a:02:f8:7a:91:
a4:eb:bd:81:8d:a3:00:e7:e9:d3:73:b2:5d:32:89:
03:8c:25:78:ee:c3:41:18:fe:9c:f6:71:60:e7:f5:
27:26:1e:54:9e:b9:ee:02:82:8b:1e:65:1f:c2:df:
6c:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CE:39:BE:C5:46:BB:C4:69:17:73:B2:C8:16:3B:28:6F:B5:F9:5F:9B
X509v3 Authority Key Identifier:
keyid:C9:F8:38:AA:E2:E7:98:30:B4:CA:43:78:CD:7B:70:32:3B:95:50:F F
X509v3 Subject Alternative Name:
IP Address:151.155.215.93
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security Attribute(tm).Chttp://developer.nov ell.com/repository/attributes/certattrs_v10.htm0..H.....0.0......F0.0......
........................0.0......................H0.0......................H.X.. .@..............@.......0.0.....................ny0.0.....................ny.N0L ........................0.0.................0.0.................
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
42:11:d8:d1:55:1f:bf:ce:4c:fc:61:8a:11:33:3f:7d:26:1b:
80:e6:c1:1f:ac:75:29:d2:82:43:9e:f8:aa:75:f5:6f:05:57:
d9:4f:75:dd:8c:64:ad:96:67:0b:06:fb:cc:96:3a:69:77:37:
49:19:0e:01:43:2f:77:01:a8:4c:00:02:37:b4:a7:a6:57:2e:
a4:76:3d:4e:95:8f:da:8c:d5:11:29:a6:1b:75:c1:e4:5d:58:
ab:08:63:83:e9:4f:8e:6c:f3:53:62:b1:99:30:8b:33:55:13:
7d:de:b0:d0:4d:09:79:66:13:f9:a5:ed:c4:73:d1:9f:7f:75:
40:53:5a:5c:53:3f:4c:9b:2a:2d:a8:a0:43:f4:36:25:6c:9a:
e5:d4:e3:b9:4f:4a:c8:fd:ab:91:7e:92:e9:3c:da:d5:dc:ea:
b4:dc:c4:9a:62:91:02:26:ee:56:fa:c6:7a:b3:ff:6c:30:86:
ae:37:d9:c5:9b:ac:a0:d6:62:17:ff:c4:a8:aa:d0:8e:5a:c9:
c2:6c:33:6e:57:2f:95:3e:3d:32:bd:44:a0:66:30:14:b7:9d:
64:82:cd:fa:d6:af:c6:8f:f4:15:c6:0b:2d:b9:22:8d:2b:22:
06:f2:61:b1:e9:c7:32:96:86:32:3c:57:5f:c5:80:80:0b:13:
d7:84:5d:e3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:14:e1:6e:79:9d:06:a1:13:e6:59:eb:fd:63:e9:61:fa:b0:76:0e:87:a7 :f4:4b:34:95:1c:64:a4:02:03:38:5c:dd:0b:c3
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=TREENAME, OU=Organizational CA
Validity
Not Before: Sep 22 17:20:00 2016 GMT
Not After : Sep 22 17:20:00 2018 GMT
Subject: O=SNIELSON2_TREE, CN=sNIelson2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:99:8f:9e:9e:9f:eb:10:82:5b:dc:a6:2b:d7:5a:
5e:5f:d6:f5:b8:77:99:86:97:23:b2:11:21:80:da:
1e:be:06:da:ee:46:83:24:43:ff:ca:c5:95:0f:ff:
82:28:20:b8:b0:61:1a:e8:cd:40:9e:a1:09:b7:99:
4d:e8:74:ff:89:c8:7c:ea:41:3c:2f:9d:a5:9d:4e:
10:fa:a5:63:ee:23:0b:a3:10:78:9a:ff:3e:fc:63:
e9:b6:c6:08:30:12:f1:c4:5f:28:0c:dc:ce:5f:dd:
3b:00:0d:e8:19:f1:b0:da:b5:7c:5e:57:f9:25:b0:
53:ad:2b:02:ad:b4:0e:df:93:b5:77:fc:86:6f:58:
2b:25:2b:3d:72:fc:9e:76:22:3e:95:aa:fd:b2:f6:
50:17:91:72:e2:44:68:66:30:27:1a:98:88:cc:1c:
b0:23:db:18:29:98:07:46:e6:fb:72:b3:46:b5:a2:
62:9e:7b:6e:a1:49:fe:d6:42:ae:30:46:37:7f:87:
2c:67:c2:45:29:fe:2c:6f:02:bc:6a:02:f8:7a:91:
a4:eb:bd:81:8d:a3:00:e7:e9:d3:73:b2:5d:32:89:
03:8c:25:78:ee:c3:41:18:fe:9c:f6:71:60:e7:f5:
27:26:1e:54:9e:b9:ee:02:82:8b:1e:65:1f:c2:df:
6c:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CE:39:BE:C5:46:BB:C4:69:17:73:B2:C8:16:3B:28:6F:B5:F9:5F:9B
X509v3 Authority Key Identifier:
keyid:C9:F8:38:AA:E2:E7:98:30:B4:CA:43:78:CD:7B:70:32:3B:95:50:F F
X509v3 Subject Alternative Name:
IP Address:151.155.215.93
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security Attribute(tm).Chttp://developer.nov ell.com/repository/attributes/certattrs_v10.htm0..H.....0.0......F0.0......
........................0.0......................H0.0......................H.X.. .@..............@.......0.0.....................ny0.0.....................ny.N0L ........................0.0.................0.0.................
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
42:11:d8:d1:55:1f:bf:ce:4c:fc:61:8a:11:33:3f:7d:26:1b:
80:e6:c1:1f:ac:75:29:d2:82:43:9e:f8:aa:75:f5:6f:05:57:
d9:4f:75:dd:8c:64:ad:96:67:0b:06:fb:cc:96:3a:69:77:37:
49:19:0e:01:43:2f:77:01:a8:4c:00:02:37:b4:a7:a6:57:2e:
a4:76:3d:4e:95:8f:da:8c:d5:11:29:a6:1b:75:c1:e4:5d:58:
ab:08:63:83:e9:4f:8e:6c:f3:53:62:b1:99:30:8b:33:55:13:
7d:de:b0:d0:4d:09:79:66:13:f9:a5:ed:c4:73:d1:9f:7f:75:
40:53:5a:5c:53:3f:4c:9b:2a:2d:a8:a0:43:f4:36:25:6c:9a:
e5:d4:e3:b9:4f:4a:c8:fd:ab:91:7e:92:e9:3c:da:d5:dc:ea:
b4:dc:c4:9a:62:91:02:26:ee:56:fa:c6:7a:b3:ff:6c:30:86:
ae:37:d9:c5:9b:ac:a0:d6:62:17:ff:c4:a8:aa:d0:8e:5a:c9:
c2:6c:33:6e:57:2f:95:3e:3d:32:bd:44:a0:66:30:14:b7:9d:
64:82:cd:fa:d6:af:c6:8f:f4:15:c6:0b:2d:b9:22:8d:2b:22:
06:f2:61:b1:e9:c7:32:96:86:32:3c:57:5f:c5:80:80:0b:13:
d7:84:5d:e3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----