Cool Solutions

Certificate Re-creation Script for OES11, OES2015 and OES2018

By: and

February 2, 2012 1:47 pm






Download certificate-creation-4.0.tbz

The Certificate Re-creation script recreates the certificates on OES11, OES2015, and OES2018 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:

OES11, OES2015, and OES2018 are currently supported.

Script Process:

  1. (Only executes when the -c switch is used) Prechecks are done to verify if the current certificates are good.
  2. The following files are backed up with the date and time appended.
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later
  3. Creation of new Certificates
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/SSCert.der //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later
    /etc/opt/novell/certs/SSCert.der //OES2 and later
  4. (Only executes when the -c switch is used)Postchecks are done to verify if the new certificates are good.
  5. Reloads services (optional but recommended)
    owcimond (only in OES1 and OES2)
    sfcb (oes11 and later)

Installation Instructions for Version 4:

  1. Download certificate-creation-4.0.tbz
  2. Open a Terminal window and type “su”
  3. Enter root’s password
  4. Extract the script from the tarball#tar –xjvf certificate-creation-4.0.tbz
  5. Make the script executable.#chmod 755
  6. Delete current eDirectory certificates.
    1. In iManager, go to Novell Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.
  7. Delete the SAS Service Object.
    1. In iManager, go to Novell Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.
  8. Go to the terminal opened in step #2 and type “ndsconfig upgrade”. This will create new eDirectory certificates for this server.
  9. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to Directory Administration -> Modify Object
    2. Select the SSL CertificateDNS – YourServerName certificate object, which by default is in the same eDirectory context as your server object and click OK
    3. Go to the Certificates tab of the certificate object and click Validate. It should come back as Valid.
    4. Select Export.
    5. Select “Export private key” and “Include all certificates in the certification path if available.”
    6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
  10. Run the script#./ -f /directory/fileName.pfx -l -r

Fixes and Enhancements:

    Version 4.0

  1. Added support for OES2015 and OES2018.
  2. Fixed a few false success conditions.
    Version 3.1

  1. The Pre and Post checks are now optional. It only executes when the -c switch is used.
  2. The script no longer tries to restart owcimomd in OES11. owcimomd no longer is used in OES11.
    Version 3.0

  1. No longer displays the password when the ldap search throws an error
    Version 2.0

  1. This script will now do pre and post checks to see if the certificates are good or bad
  2. Color was also added for easier reading
    Version 1.1

  1. The script will now check if your are root
  2. OES2 x86_64 is now supported
  3. A relative path to the .pfx file can now be used.
Note: Using a –h will display other parameter options if desired
4 votes, average: 5.00 out of 54 votes, average: 5.00 out of 54 votes, average: 5.00 out of 54 votes, average: 5.00 out of 54 votes, average: 5.00 out of 5 (4 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Tags: ,
Categories: Cool Tools, File Services and Management, IT Operations Management, Open Enterprise Server, Technical

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.


  1. By:peterhine

    Thanks VM.

    Now if only there was a way to get the .pfx out of eDir using ldap or some other command line tool. then we wouldn’t need iManager. We’d need the eDir credentials and a temporary password could be autogenerated to protect the pfx, and when finished, the pfx could be deleted. Could make it safer all round. !!!

    Challenge anyone ?


  2. By:woodsy_ca

    Ran into problems when migrating to a virtual system. This script was very helpful in restoring all the certificates. However, I ran into two problems:

    1. Although there appeared to be certificates for the server in eDirectory, editing the certificates in iManager drew a blank. I had to use TID 7001013 to re-create the certificates for the server in eDirectory.

    2. The script does not update the certificate store for Tomcat (/etc/opt/novell/tomcat4/cacerts. Had to import these manually using TID 3734475 as a guide.

    These are not complaints; just additional info if someone runs into the same issues.

    Thanks putting this together.

  3. By:martinst

    Hi, is this procedure still needed, or should I just use iManager – Novell Certificate Server – Create/Repair Default Certificates and then restart the ndsd | use the “namconfig -k” to use the new certificates?

    • By:joshw

      I can verify this – using iManager from another server I ran the “Create Default Certificates” task and marked the option to replace the existing certificates (mine were expired). I then ran “namconfig -k”, rebooted the server, and everything was working fine again. For reference, I was running iManager from a NW6.5 server, and the server I replaced the certificates on was OES1/SLES9.

  4. By:peterhine

    I added :

    cp /etc/ssl/servercerts/servercert.pem /etc/opt/novell/httpstkd/server.pem
    cp /etc/ssl/servercerts/serverkey.pem /etc/opt/novell/httpstkd/server.key
    rcnovell-httpstkd restart

    just to take it a step further


  5. By:gyvnn

    Original servercert.pem:

    Recreated servercert.pem:

    openssl verify servercert.pem

    error 20 at 0 depth lookup:unable to get local issuer certificate

  6. By:MHGlenn

    Interesting; I wonder if this could be used to get everything back up to snuff after changing the hostname and/or IP address of a server?

    Well, off to the lab….

  7. By:1ana

    You could use VPN for that.

  8. By:MarkCRobinson

    Just tried this script for the first time, and it worked very well except….

    It runs namconfig -k before it does the nldap refresh, which means that it re-downloads the expired certificate if NAM is pointing at the local eDirectory LDAP.

    Running namconfig -k and then namconfig cache_refresh after the script finishes sorts that though.

  9. By:mstatman

    Also need to fix /var/opt/novell/tomcat5/conf/cacerts, else iManager will no longer be able to manage things like iPrint and NetStorage and who knows what else….

  10. By:MHGlenn

    …is the fact that your typical OES server has multiple processes that are all over the map when it comes to the utilization of certificates, and trying to all of get them back in sync after a major event makes herding cats look easy.

    I talked to Glen Davis about this last BrainShare, told him we needed to get all these critters to use the same watering hole when it came to certificates. Really; it’s past-due that this got fixed.

    • By:nlandas

      This script is a wonderful tool for the community. Thank you.

      Novell, There is no way that each of these services which typically rely on LDAP should have separate certificates stored all over the place. The certificates should all be in the same location and the system should rekey itself automatically. There should be no need for an admin to manually regenerate the keys and certainly not in so many areas.

      This whole process should be automated and simplified.

  11. By:mdemoulin

    Many thanks for this script.

    It should definitively be implemented in OES releases …
    It is so annoying to have to check for certificates validity and track down which got really updated on the system …

  12. By:kkbass

    Big fan of this script! It works wonders & saves quite a bit of time. Speaking of saving time… Any way during this process to set the SSL cert for more than 2 years? I know, set myself a calendar reminder for a month before the certs expire & redo them then, but wouldn’t it be much nicer to do that every 3 or more years instead of 2?


  13. By:nickb

    – Manager – Novell Certificate Server – Create/Repair Default Certificates worked just fine to fix the server certificates

    – To fix the Tomcat5 certificate, you can export the same SSL CertificateDNS in a .der format by deselecting the option to export the Private Certificate. The .der is an X.509 Certificate that is used by the default Tomcat cacerts file. You can import the certificate with the following command:
    keytool -import -alias -file cert.der -keystore /var/opt/novell/tomcat5/conf/cacerts -storepass changeit

    Then restart Tomcat:
    /etc/init.d/novell-tomcat5 stop
    /etc/init.d/novell-tomcat5 start

    – I still had issues with managing iPrint objects, so the final step was to follow and remove the following files:
    rm /var/opt/novell/tomcat5/webapps/nps/portal/modules/iPrintX/certstore/*

  14. By:tking

    Hi, I download and found errors in execution caused by null values to variables. To fix simply edit the script and on lines 105 and 107 enclose the variables in double quotes.

    if [ "$nam_conf_server" == "$ipsmd_conf_dsserver1" ]; then
    if [ "$iprint_g_server" == "$ipsmd_conf_dsserver1" ]; then

  15. By:casutton

    I have been using the script quite a bit lately and noticed that the rcowcimomd was attempting to run even though I’m on OES 11.1 and 11.2.

    I updated the script so that it can check for version 11 or higher instead of just version 11.

    Here is the diff

    > # return 0 if program version is equal or greater than check version
    > # - Louis Marascio
    > check_version()
    > {
    > local version=$1 check=$2
    > local winner=$(echo -e "$version\n$check" | sed '/^$/d' | sort -nr | head -1)
    > [[ "$winner" = "$version" ]] && return 0
    > return 1
    > }
    < printf "\n"
    < echo '#===========Reloading Services==========================================#'
    < if [ $oesVersion != "11" ]; then
    < echo 'Restarting owcimomd.................................#'
    < rcowcimomd restart
    < fi
    < echo 'Restarting namcd....................................#'
    < rcnamcd restart
    < echo 'Restarting apache2..................................#'
    printf "\n"
    > echo '#===========Reloading Services==========================================#'
    > if check_version "$oesVersion" "11"; then
    > echo "OES version is 11 or higher"
    > else
    > echo 'OES 10 Restarting owcimomd..........................#'
    > rcowcimomd restart
    > fi
    > echo 'Restarting namcd....................................#'
    > rcnamcd restart
    > echo 'Restarting apache2..................................#'
    > rcapache2 restart
    printf "\n"

  16. By:WGamradt

    I would like to see this script moved to an official repo and become officially supported. It is basically a must have on OES servers.

  17. By:rjneilly


    Thanks for the script. There are two errors with respect to the -r option to reload services.

    1. the help text has a typo, it says ‘nlap’. It should say ‘nldap’.

    2. the code section for reloadServices does not contain anything to reload the nldap service. It should contain something like:

    echo 'Restarting LDAP service..................................#'
    nldap -u
    nldap -l

    Not sure how this would relate to using the -l option which recreates the LUM cert and restarts the nldap service. If one used both options then nldap would be restarted twice I guess….



    • By:rjneilly

      Nevermind. Reread the script and realized that -l and -r are mandatory, therefore nldap will be restarted by the -l option. Help text is misleading in that it states that the -r option will cause a reload of nldap which it doesn’t.



  18. By:amginenigma

    Can you run this script (this process) against the server that has your CA? How about running it against the server running iManager?

  19. By:nlandas

    Does eDirectory Certificate Server self-provisioning eliminate the need for this script? It seems that this script does a lot more than just have the CA re-key itself. I’ve had self-provisioning on for some time and I don’t see how it corrects all the other eDirectory servers and services that rely on these certificates?

    Can someone set me straight. Thanks.

  20. By:mstatman

    Great script, used this many times. Needs to be updated for OES2015 though…

    This server in not SUSE Linux Enterpriser Server 9 or 10

    #=========== Results Summary ====================================#
    All creations of the certificates SUCCEEDED

    …but of course nothing actually got updated.