Novell Certificate Server has added support for a Subordinate Certificate Authority. This feature allows the Organizational CA to be subordinate to either a third-party CA or to a CA in another eDirectory tree. You still can have only one Organizational CA in your eDirectory tree.
The following are some of the reasons to have a Subordinate CA:
Allows the Organizational CA to become part of an existing third-party PKI
Allows multiple trees to share a common PKI Trusted Root (or Trust Anchor)
Allows for greater security of the Root CA by having the CA reside on a more secure system
Provides less risk by having the Root CA reside in a tree that is more tightly managed (for example, in a tree protected from rogue-administrators/users)
In order to create a Subordinate CA, you must first delete the existing Organizational CA (see Deleting the Organizational CA). You must already have a PKCS#12 file containing the public/private keys and the certificate chain for the Subordinate CA. You can either obtain this file directly from a third-party CA or use Section 3.3.2, Creating a PKCS#12 File for a Subordinate CA to learn how to create one. In order to create the Subordinate CA, connect to the tree in iManager and use the Configure Certificate Authority task, using the Import creation method.
Create a Server Certificate object (or KMO) and a PKCS#10 CSR.
Launch iManager.
On the
menu, click > .Select the server that will eventually host the CA, specify a certificate nickname, select the Custom creation method, then click
.Select
, then click .Select a key size (2048 bit is recommended), make sure that
is selected, then click .Click the
button to the right of the field and edit the to reflect the subordinate CA and tree, select the Signature algorithm (SHA-1 is currently recommended), then click .Verify that the summary is correct, then click
.Click
, then follow the prompts to save the CSR to a file.Get the CSR signed to create a certificate.
If the Subordinate CA is to be part of a third-party PKI, have the third-party CA create the certificate from the CSR.
or
If the Subordinate CA is to be signed by a CA in another eDirectory tree, continue with Step 2.b.
Launch iManager.
On the
menu, click > .Select the file containing the CSR, then click
.Select a key type of
, deselect , then click .Select the Certificate Authority Certificate type, select either the
or a length, then click .Verify the subject name and edit it if necessary. Specify a validity period (5-10 years is recommended), then click
.Select a format for the certificate, then click
.Click
.Click
, then follow the prompts to save the certificate.Acquire the CA certificates.
If the Subordinate CA is to be part of a third-party PKI, acquire the CA certificates from the third party.
or
If the Subordinate CA is to signed by a CA in another eDirectory tree, continue with Step 3.b.
Launch iManager.
On the
menu, click > .Click the
tab, then select .Click
.Do not export the private key and select a format for the certificate, then click
.Click
, then follow the prompts to save the certificate.Import the certificates into the Server Certificate object (or KMO).
Export the public/private keys to a PKCS#12 file.
Continuing from Step 4.e, click , choose to include the private key, then click .
Click
, then follow the prompts to save the PKCS#12 file.Make a copy of this file and store it in a secure place along with the password.
(Optional) Delete the Server Certificate object (or KMO).