Novell iChain includes Novell Public Key Infrastructure Services (PKIS 2.0) to provide cryptography and enable certificate services in your iChain infrastructure. A Novell server certificate is installed and configured automatically when you install Novell iChain; however, you may want to use other third-party certificates, such as Baltimore* certificates, in your infrastructure. In order to use third-party certificates in your iChain infrastructure, you must request a certificate from a Certificate Authority (CA), have the CA sign the certificate, collect and export the certificate and its trusted root, and then import the certificate and its trusted root to the iChain Proxy Server. The following procedure describes the process for a Baltimore certificate.
To create a Certificate Signing Request (CSR) for a server certificate for the iChain Proxy Server:
In the browser-based management tool, click Home > Certificate Maintenance > Create.
Enter an appropriate name for the certificate and subject name.
Click the Signature Algorithm drop-down list > select the algorithm you want to use (SHA-1 or MD-5).
Click the RSA Key Size drop-down list > select the RSA key size that you want to use.
You cannot select a key size larger than the maximum key size on the appliance.
Click Use External Certificate Authority.
If desired, enter a name for your organization or division.
This is commonly referred to as the Organizational Unit and is used to differentiate between organizational divisions or to describe departments or divisions.
Enter the city or town where your organization does business.
Enter the unabbreviated name of the state or province where the organization does business.
This is commonly referred to as the state.
Enter the International Standards Organization country code for the country where the organization does business.
This is commonly referred to as the country and must be a valid, two-character country code.
Click OK.
Examine the Action and Status fields. The Action field should have red arrows on the left and the word Request displayed on a green background. The Status should be Building. The red arrows and green background indicate that you need to click Apply.
Click Apply.
If any errors occur during the certificate request process, they will be displayed in the Error field on a red background.
If an error occurs:
Send the CSR by continuing with the following steps to extract the CSR from the iChain Proxy Server:
Click View CSR to open a new browser window that displays the CSR contents.
Select and copy the complete CSR text into your computer's clipboard.
Internet Explorer and other browsers combine them with the CSR text that is in between. Clicking the browser refresh/reload button will often fix the problem. If it doesn't, simply insert the appropriate carriage returns during the next step. After you have copied the text, you can close the browser window. if you don't fix the defect, you can view the source of the HTML file and copy and paste from the source file.
Paste the CSR text from the clipboard to the e-mail message or HTML form as required by your CA. The method for sending the CSR will vary depending on the authority. VeriSign, for example, uses a Web page interface.
IMPORTANT: The header and trailer must be on lines separate from the body of the CSR. The header line will be similar to the following:
----- BEGIN NEW CERTIFICATE REQUEST -----
The trailer line will be similar to the following:
------ END NEW CERTIFICATE REQUEST -----
If required, you must use hard returns to separate these two lines from the body of the CSR.
To sign the CSR, perform the following steps:
Copy the CSR onto a diskette.
Insert the diskette with the CSR into the drive of the Baltimore Certificate Authority.
From the Registration Authority Operatory (RAO) menu of the Baltimore CA, click Face to Face Requests > Register a New User.
Select the Baltimore policy you have previously created for the proxy server certificate.
Locate the CSR file on the diskette > select the file > click Open.
Click Accept to process the CSR.
To collect response to the CSR and export the trusted root, perform the following steps:
Click Collect Reply from Last Request.
Click File.
Click DER Encoded Certificate.
Save the response file to the diskette as a .DER file.
Click OK to acknowledge.
Click OK on the yellow back arrow.
From the Certificate Authority Operator (CAO) menu, click Open/Create PKI.
Right-click the CA object > click Export Certificate.
Click DER Encoded Certificate.
Save the Trusted Root file to the diskette as a .DER file.
Select PKI > Done.
To import the new Trusted Root into the server certificate, perform the following steps.
After the external CA responds with the certificate:
In the browser-based management tool, click Home > Certificate Maintenance > click the name of the certificate you want to store > click Store Certificate.
In the Store Certificates dialog box, paste the CA certificate into the CA Certificate Contents box. If you are using Novell CA, this is where the Self Signed Certificate should be placed.
NOTE: If the CA Certificate Contents and the Server Certificate Contents are in the same Base-64 encoded file, check the No trusted root certificate available check box. This will gray out the CA Certificate Contents box and allow the single Base-64 encoded file containing the entire certificate chain to be pasted into the Server Certificate Contents box.
Paste your newly issued certificate in the Server Certificate Contents box.
Click Create.
Examine the Action and Status fields. The Action field should have red arrows on the left and the word Create displayed on a green background. The Status should be CSR in Process. The red arrows and green background indicate that you need to click Apply.
Click Apply.
If any errors occur during the certificate creation process, they will be displayed in the Error field on a red background.
If an error occurs: