Cool Solutions

Certificate Re-creation Script for OES1, OES2 and OES 11



By:

February 2, 2012 1:47 pm

Reads:4,174

Comments:21

Score:5

License:
GPLv2

Download certificate-creation-3.1

The Certificate Re-creation script recreates the certificates on OES1, OES2, and OES 11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:

32 and 64 bit OES1, OES2, and OES 11 are currently supported.

Script Process:

  1. (Only executes when the -c switch is used) Prechecks are done to verify if the current certificates are good.
  2. The following files are backed up with the date and time appended.
    /etc/ssl/servercerts/servercert.pem
    /etc/ssl/servercerts/serverkey.pem
    /var/lib/novell-lum/x.x.x.x.der
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and OES 11
  3. Creation of new Certificates
    /etc/ssl/servercerts/serverkey.pem
    /etc/ssl/servercerts/servercert.pem
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/SSCert.der //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and OES 11
    /etc/opt/novell/certs/SSCert.der //OES2 and OES 11
    /var/lib/novell-lum/x.x.x.x.der	
  4. (Only executes when the -c switch is used)Postchecks are done to verify if the new certificates are good.
  5. Reloads services (optional but recommended)
    owcimond (only in OES1 and OES2)
    nldap
    namcd
    apache2	

Installation Instructions for Version 3:

  1. Download certificate-creation-3.1.tbz
  2. Open a Terminal window and type “su”
  3. Enter root’s password
  4. Extract the script from the tarball

    #tar –xjvf certificate-creation-3.1.tbz
  5. Make the script executable.

    #chmod 755 certificate-creation.sh
  6. Delete current eDirectory certificates.
    1. In iManager, go to Novell Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.
  7. Delete the SAS Service Object.
    1. In iManager, go to Novell Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.
  8. Go to the terminal opened in step #2 and type “ndsconfig upgrade”. This will create new eDirectory certificates for this server.
  9. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to Directory Administration -> Modify Object
    2. Select the SSL CertificateDNS – YourServerName certificate object, which by default is in the same eDirectory context as your server object and click OK
    3. Go to the Certificates tab of the certificate object and click Validate. It should come back as Valid.
    4. Select Export.
    5. Select “Export private key” and “Include all certificates in the certification path if available.”
    6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
  10. Run the certificate-creation.sh script

    #./certificate-creation-3.1.sh -f /directory/fileName.pfx -l -r

Fixes and Enhancements:

    Version 1.1

  1. The script will now check if your are root
  2. OES2 x86_64 is now supported
  3. A relative path to the .pfx file can now be used.
    Version 2.0

  1. This script will now do pre and post checks to see if the certificates are good or bad
  2. Color was also added for easier reading
    Version 3.0

  1. No longer displays the password when the ldap search throws an error
    Version 3.1

  1. The Pre and Post checks are now optional. It only executes when the -c switch is used.
  2. The script no longer tries to restart owcimomd in OES 11. owcimomd no longer is used in OES 11.
Note: Using a –h will display other parameter options if desired
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Tags: ,
Categories: Cool Tools, Open Enterprise Server, Technical

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

21 Comments

  1. By:peterhine

    Thanks VM.

    Now if only there was a way to get the .pfx out of eDir using ldap or some other command line tool. then we wouldn’t need iManager. We’d need the eDir credentials and a temporary password could be autogenerated to protect the pfx, and when finished, the pfx could be deleted. Could make it safer all round. !!!

    Challenge anyone ?

    P

  2. By:woodsy_ca

    Ran into problems when migrating to a virtual system. This script was very helpful in restoring all the certificates. However, I ran into two problems:

    1. Although there appeared to be certificates for the server in eDirectory, editing the certificates in iManager drew a blank. I had to use TID 7001013 to re-create the certificates for the server in eDirectory.
    http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=7001013

    2. The script does not update the certificate store for Tomcat (/etc/opt/novell/tomcat4/cacerts. Had to import these manually using TID 3734475 as a guide.
    http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=3734475

    These are not complaints; just additional info if someone runs into the same issues.

    Thanks putting this together.

  3. By:martinst

    Hi, is this procedure still needed, or should I just use iManager – Novell Certificate Server – Create/Repair Default Certificates and then restart the ndsd | use the “namconfig -k” to use the new certificates?

    • By:joshw

      I can verify this – using iManager from another server I ran the “Create Default Certificates” task and marked the option to replace the existing certificates (mine were expired). I then ran “namconfig -k”, rebooted the server, and everything was working fine again. For reference, I was running iManager from a NW6.5 server, and the server I replaced the certificates on was OES1/SLES9.

  4. By:peterhine

    I added :


    cp /etc/ssl/servercerts/servercert.pem /etc/opt/novell/httpstkd/server.pem
    cp /etc/ssl/servercerts/serverkey.pem /etc/opt/novell/httpstkd/server.key
    rcnovell-httpstkd restart

    just to take it a step further

    P

  5. By:gyvnn

    Original servercert.pem:
    —–BEGIN CERTIFICATE—–
    Bla-bla-bla…
    —–END CERTIFICATE—–
    —–BEGIN TRUSTED CERTIFICATE—–
    Bla-bla-bla…
    —–END TRUSTED CERTIFICATE—–

    Recreated servercert.pem:
    —–BEGIN CERTIFICATE—–
    Bla-bla-bla…
    —–END CERTIFICATE—–

    Execute:
    openssl verify servercert.pem

    error 20 at 0 depth lookup:unable to get local issuer certificate

  6. By:MHGlenn

    Interesting; I wonder if this could be used to get everything back up to snuff after changing the hostname and/or IP address of a server?

    Well, off to the lab….

  7. By:1ana

    You could use VPN for that.

  8. By:MarkCRobinson

    Just tried this script for the first time, and it worked very well except….

    It runs namconfig -k before it does the nldap refresh, which means that it re-downloads the expired certificate if NAM is pointing at the local eDirectory LDAP.

    Running namconfig -k and then namconfig cache_refresh after the script finishes sorts that though.

  9. By:mstatman

    Also need to fix /var/opt/novell/tomcat5/conf/cacerts, else iManager will no longer be able to manage things like iPrint and NetStorage and who knows what else….

  10. By:MHGlenn

    …is the fact that your typical OES server has multiple processes that are all over the map when it comes to the utilization of certificates, and trying to all of get them back in sync after a major event makes herding cats look easy.

    I talked to Glen Davis about this last BrainShare, told him we needed to get all these critters to use the same watering hole when it came to certificates. Really; it’s past-due that this got fixed.
    :(

    • By:nlandas

      This script is a wonderful tool for the community. Thank you.

      Novell, There is no way that each of these services which typically rely on LDAP should have separate certificates stored all over the place. The certificates should all be in the same location and the system should rekey itself automatically. There should be no need for an admin to manually regenerate the keys and certainly not in so many areas.

      This whole process should be automated and simplified.

  11. By:mdemoulin

    Many thanks for this script.

    It should definitively be implemented in OES releases …
    It is so annoying to have to check for certificates validity and track down which got really updated on the system …

  12. By:kkbass

    Big fan of this script! It works wonders & saves quite a bit of time. Speaking of saving time… Any way during this process to set the SSL cert for more than 2 years? I know, set myself a calendar reminder for a month before the certs expire & redo them then, but wouldn’t it be much nicer to do that every 3 or more years instead of 2?

    Thanks!

  13. By:nickb

    - Manager – Novell Certificate Server – Create/Repair Default Certificates worked just fine to fix the server certificates

    - To fix the Tomcat5 certificate, you can export the same SSL CertificateDNS in a .der format by deselecting the option to export the Private Certificate. The .der is an X.509 Certificate that is used by the default Tomcat cacerts file. You can import the certificate with the following command:
    keytool -import -alias -file cert.der -keystore /var/opt/novell/tomcat5/conf/cacerts -storepass changeit

    Then restart Tomcat:
    /etc/init.d/novell-tomcat5 stop
    /etc/init.d/novell-tomcat5 start

    - I still had issues with managing iPrint objects, so the final step was to follow http://www.novell.com/support/kb/doc.php?id=7001666 and remove the following files:
    rm /var/opt/novell/tomcat5/webapps/nps/portal/modules/iPrintX/certstore/*

  14. By:tking

    Hi, I download and found errors in execution caused by null values to variables. To fix simply edit the script and on lines 105 and 107 enclose the variables in double quotes.

    if [ "$nam_conf_server" == "$ipsmd_conf_dsserver1" ]; then
    sameVar="1"
    fi
    if [ "$iprint_g_server" == "$ipsmd_conf_dsserver1" ]; then
    printFilesSame="1"
    fi

Comment

RSS