This task is described in Chapter 2. See Creating Server Certificate Objects.
You import a public key certificate after you have created a certificate signing request (CSR) and the Certificate Authority (CA) has returned the signed public key certificate to you.This task applies when you have created a Server Certificate object using the Custom option with the External CA signing option.
There are several ways in which the CA can return the certificate. Typically, the CA either returns one or more files each containing one certificate, or returns a file with multiple certificates in it. These files can be binary, DER-encoded files (.der, .cer, .crt., .p7b) or they can be textual, base64-encoded files (.cer, .b64).
If the file has multiple certificates in it, it must be in PKCS #7 format in order to be imported into a Server Certificate object. Additionally, the file must contain all of the certificates to be imported into the object (the root-level CA certificate, any intermediate CA certificates, and the server certificate).
If the CA returns multiple files to you as a result of signing the certificate, each file will contain a different certificate that must be imported into the Server Certificate object. If there are more than two files (one for the root-level CA, one or more for the intermediate CAs, and one for the server certificate), these files must be combined into a PKCS #7 file in order to be imported into a Server Certificate object.
There are several ways to create a PKCS #7 file. One way is to import all of the certificates into Internet Explorer. After they have been imported, the server certificate and all of the certificates in the certificate chain can be exported in PKCS #7 format using Internet Explorer.
Some CAs do not return a root-level CA certificate along with the server certificate. In order to obtain the root-level CA certificate, contact the CA provider directly or call Novell Support.
To import the certificates into a Server Certificate object:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to modify.
Click OK.
Click the Certificates tab.
Click Import.
Browse for and select the certificate data file.
Browse for and select the trusted root data file.
If all certificates are contained in a single file, leave this field blank.
Click OK.
You export a certificate to a file for the following reasons:
You can export the certificate in two file formats: DER-encoded (.der) and Base64-encoded (.b64). The .crt extension can also be used for DER-encoded certificates. You can also export to the system clipboard in Base64 format so that it can be pasted directly into a cryptography-enabled application.
To export a trusted root or public key certificate:
Launch Novell iManager.
Log in to the eDirectory tree as a user with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object the particular application is configured to use.
Click OK.
Click the Certificates tab, and click the certificate (trusted root or public key) you want to export..
Click Export.
This opens a wizard that helps you export the certificate to a file.
When asked whether or not to export the private key, click No, then click Next.
Select an output format (binary DER or text encoded base64), then click Next..
Click Save the exported certificate to a file and save the file to a location of your choice.
Click Close > Close > OK.
Use the file as needed.
For example, if you want to install a trusted root certificate in an Internet Explorer browser, double-click the file. This initiates a wizard that will accept the CA as a trusted root. Accepting the CA as a trusted root means that the browser automatically accepts SSL connections with services that use certificates issued by this CA.
You should delete a Server Certificate object if you suspect that the private key has been compromised, if you no longer want to use the key pair, or if the trusted root in the Server Certificate object is no longer trusted.
IMPORTANT: After the Server Certificate object is deleted, you cannot recover it unless you have previously made a backup. Before you delete this object, make sure that no cryptography-enabled applications still need to use it.You can re-create a Server Certificate Object, but you will need to reconfigure any applications that referenced the old object.
To delete a Server Certificate object:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Delete Object.
Browse to and click on the Server Certificate object you want to delete.
Click OK, then OK again to delete the object.
In addition to the eDirectory rights and properties that are viewable with any eDirectory object, you can also view properties specific to the Server Certificate object, including the properties of the public key certificate and the trusted root certificate associated with it, if they exist.
To view a Server Certificate object's properties:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to view.
Click OK.
This brings up the property pages for the Server Certificate Object, including a General page, a Certificates page, and property pages related to eDirectory.
Click each tab you want to view.
Click Cancel.
To view a Server Certificate object's public key certificate properties:
Launch Novell iManager.
Log in to the eDirectory tree as a user with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to view.
Click OK.
Click Public Key Certificate.
To view additional information about a public key certificate, click Details.
The Details page has information contained in the public key certificate.
Click Close > Cancel.
To view a Server Certificate object's trusted root certificate properties:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to view.
Click OK.
Click Trusted Root Certificate.
To view additional information about a trusted root certificate, click Details.
The Details page has information contained in the trusted root certificate.
Click Close > Cancel.
Novell Certificate Server allows you to store certificates signed by third-party Certificate Authorities in server certificate objects. Often these certificates cost a significant amount of money. Unfortunately, if an unrecoverable failure happens on the server that owns the certificates, the server certificate object can no longer be used. In order to protect against such failures, you might want to back up server certificates signed by external CAs and their associated private keys. Then, if a failure should occur, you can use the backup file to restore your server certificate object to any server in the tree that has Certificate Server version 2.21 or higher installed.
NOTE: The ability to back up a server certificate object is only available for objects created with Certificate server version 2.21 or later. In previous versions of Certificate Server, the server's private key was created in a way that made exporting it impossible.
The backup file contains the server's private key, public key certificate, trusted root certificate, and any intermediate CA certificates stored. This information is stored in PKCS #12 format (also known as PFX).
A server certificate object should be backed up when it is working properly.
To backup a Server Certificate object:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to backup.
Click OK.
Click the Certificates tab.
Click either the Trusted Root Certificate or the Public Key Certificate. Both certificates are written to the file during the backup operation.
Click Export.
This opens a wizard that helps you export the certificates to a file.
When asked whether to export the private key, select Yes, then click Next.
Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file.
Click Next.
Click Save the exported certificate to a file. Select the filename and the location for the backup file.
Click Close > Close.
The encrypted backup file is written to the location specified. It is now ready to be stored in a secure location for emergency use.
IMPORTANT: The exported file should be put on a diskette or some other form of backup media and stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a vault to ensure that it is available when needed, but inaccessible to others.
If the Server Certificate object has been deleted or corrupted, or if the server that owned the Server Certificate object has suffered an unrecoverable failure, the object can be restored to full operation using a backup file created as described in Backing Up a Server Certificate Object.
The ability to restore a Server Certificate object is only available in Certificate Server version 2.21 or later.
If you were unable to make a backup of the server certificate object, the server certificate object may still be usable if NICI 2.x is installed on the server and a backup was made of the NICI configuration information. See the NICI documentation for information on how to back up and restore the NICI configuration files.
To restore the server certificate object:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
Delete the old server certificate object.
From the Roles and Tasks menu, click Novell Certificate Server > Create Server Certificate.
This opens the Create a Server Certificate Wizard that creates the object.
In the wizard, specify the server that should own the server certificate object and the certificate nickname of the server certificate. The server specified must have Certificate Server version 2.21 or higher installed and be up and running.
Specify the Import option, then click Next.
Browse for and select the backup file and enter the backup file password, then click Finish.
The server's private key and certificates have now been restored and the server certificate object is fully functional. The backup file can now be stored again for future use if desired.
IMPORTANT: Be sure to protect your backup media.
You can set up server certificate objects in a clustered environment to ensure that your cryptography-enabled applications that use server certificate objects will always have access to them. Using the backup and restore feature for server certificate objects, you can duplicate the object's keying material from one node in the cluster to all nodes. Keying material signed by an external CA saves you money by allowing you to duplicate the keying material for one server certificate rather than requiring new keying material for every node in the cluster.
To set up server certificates to work in a clustered environment:
Create a server certificate on a server in the cluster using either the Organizational CA or an external CA of your choice. See Creating Server Certificate Objects.
When you create the server certificate objects, the Common Name (CN) portion of the certificate's subject name should be an IP or DNS name that is specific to the service. Otherwise, you will receive a browser warning message indicating that the IP or DNS name on the URL does not match that in the certificate.
NOTE: If different services have different IP or DNS addresses, you need to create a server certificate for each service.
Back up the keying material for this server certificate object and restore it by creating a server certificate object with the identical key pair name as the first on all remaining servers in the cluster. See Backing Up a Server Certificate Object.
If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate using iManager. Any certificate in the eDirectory tree can be validated, including certificates issued by external CAs.
The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs.
A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension are checked for revocation.
A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information is provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.
To validate a certificate:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to validate.
Click OK.
Click the Certificates tab.
Click either Trusted Root Certificate or Public Key Certificate.
Click Validate.
The status of the certificate is provided in the Certificate Status field. If the certificate is not valid, the reason is given. Click Details for information about the exact certificate that was considered invalid.
You can move a Server Certificate Object from one server to another by using the backup and restore procedures outlined in Backing Up a Server Certificate Object and Restoring a Server Certificate Object.
Make sure the Server Certificate Object is functional.
Back up the Server Certificate Object.
Restore the Server Certificate Object to the desired server.
IMPORTANT: Be sure to protect your backup media.
The private key and certificates in the server certificate object can be replaced. They should only be replaced using an internally generated PFX file created during a backup of a server certificate object. Externally generated PFX files can also be used if they contain the private key, the server certificate, and the entire certificate chain. The key and certificates in the file need not match the ones in the object; the data in the file will overwrite the key and certificates in the object.
Replacing the private key and certificates in the server certificate object is a serious matter. If the key and certificates do not exactly match the ones in the object, it is the same as deleting the current server certificate object and creating a new one. See the section Deleting a Server Certificate Object for more information on the consequences of deleting the object.
If the key and certificates do match the ones in the object, replacing the keying material will have no effect except to regenerate a few attributes used by the Secure Authentication Services (SAS) and NILE services.
To replace the keying material on the Server Certificate object:
As a precaution, back up the server certificate object with the private key. See Backing Up a Server Certificate Object.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object.
Browse to and click on the Server Certificate object you want to modify.
Click OK.
Click the Certificates tab.
Click either the Trusted Root Certificate or the Public Key Certificate.
The operation can be started from either page. It replaces both certificates as well as the private key and any other certificates in the certificate chain.
Click Replace.
This opens a wizard that helps you specify the PFX (backup) file.
Browse for and select the backup file, enter the backup file password, then click OK.
The server's private key and certificates have now been replaced and the server certificate is fully functional. The backup file should be stored again for future use if desired.
IMPORTANT: Be sure to protect your backup media.