The Certificate Re-creation script recreates the certificates on OES1, OES2, and OES 11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.
32 and 64 bit OES1, OES2, and OES 11 are currently supported.
- (Only executes when the -c switch is used) Prechecks are done to verify if the current certificates are good.
- The following files are backed up with the date and time appended.
/etc/ssl/servercerts/servercert.pem /etc/ssl/servercerts/serverkey.pem /var/lib/novell-lum/x.x.x.x.der /etc/opt/novell/SSCert.pem //OES1 /etc/opt/novell/certs/SSCert.pem //OES2 and OES 11
- Creation of new Certificates
/etc/ssl/servercerts/serverkey.pem /etc/ssl/servercerts/servercert.pem /etc/opt/novell/SSCert.pem //OES1 /etc/opt/novell/SSCert.der //OES1 /etc/opt/novell/certs/SSCert.pem //OES2 and OES 11 /etc/opt/novell/certs/SSCert.der //OES2 and OES 11 /var/lib/novell-lum/x.x.x.x.der
- (Only executes when the -c switch is used)Postchecks are done to verify if the new certificates are good.
- Reloads services (optional but recommended)
owcimond (only in OES1 and OES2) nldap namcd apache2
Installation Instructions for Version 3:
- Download certificate-creation-3.1.tbz
- Open a Terminal window and type “su”
- Enter root’s password
- Extract the script from the tarball
#tar –xjvf certificate-creation-3.1.tbz
- Make the script executable.
#chmod 755 certificate-creation.sh
- Delete current eDirectory certificates.
- In iManager, go to Novell Certificate Access -> Server Certificates.
- Select the server you plan on recreating the certificates on (looks like a magnifying glass)
- Select all certificates in the list and click delete.
- Delete the SAS Service Object.
- In iManager, go to Novell Certificate Access -> SAS Service Object.
- Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
- Check the box next to the SAS Service object and click delete.
- Go to the terminal opened in step #2 and type “ndsconfig upgrade”. This will create new eDirectory certificates for this server.
- Export the Personal Information Exchange File using iManager.
- In iManager, go to Directory Administration -> Modify Object
- Select the SSL CertificateDNS – YourServerName certificate object, which by default is in the same eDirectory context as your server object and click OK
- Go to the Certificates tab of the certificate object and click Validate. It should come back as Valid.
- Select Export.
- Select “Export private key” and “Include all certificates in the certification path if available.”
- Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
- Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
- Run the certificate-creation.sh script
#./certificate-creation-3.1.sh -f /directory/fileName.pfx -l -r
Fixes and Enhancements:
- The script will now check if your are root
- OES2 x86_64 is now supported
- A relative path to the .pfx file can now be used.
- This script will now do pre and post checks to see if the certificates are good or bad
- Color was also added for easier reading
- No longer displays the password when the ldap search throws an error
- The Pre and Post checks are now optional. It only executes when the -c switch is used.
- The script no longer tries to restart owcimomd in OES 11. owcimomd no longer is used in OES 11.