8.1 Server Certificates Changes in OES 11 and Later

The Server Certificates service can create certificates for eDirectory services to use when you install the operating system. In addition, custom certificates can be created after the install by using Novell iManager or command line commands.

8.1.1 Using eDirectory Server Certificates in a Cluster

In a NetWare cluster, you might have copied the Server Certificate objects to all nodes in the cluster using backup and restore functions for Server Certificate objects. This functionality is also available for OES clusters. You can use the backup and restore feature for Server Certificate objects to duplicate the object’s keying material from one node on the cluster to all nodes.

For information about setting up server certificates in a Novell Cluster Services cluster, see the following sections of the NetIQ Certificate Server Administration Guide:

8.1.2 Using eDirectory Server Certificates for HTTPS Services

For NetWare, OES2 or later, all applications are integrated with eDirectory. This allows applications to automatically use the server certificates created by Certificate Server directly from eDirectory.

However, for OES1, many native Linux applications (such as Apache and Tomcat) are not integrated with eDirectory and therefore, cannot automatically use the certificates created by Certificate Server directly from eDirectory. By default, these services use the self-signed common server certificate created by YaST:

  • Certificate file: /etc/ssl/servercerts/servercert.pem

  • Key file: /etc/ssl/servercerts/serverkey.pem

Self-signed certificates provide minimal security and limited trust, and are not in compliance with the X.509 requirements as specified in RFC 2459 and RFC 3280. We recommend that you use eDirectory certificates instead.

When installing OES2 or later on Linux, the YaST installer provides a configuration screen that allows you to specify whether you want to automatically configure the server to export eDirectory Server Certificates to the file system, eliminating the need to manually configure the server through iManager. It's selected by default. If selected, it automatically replaces the existing server certificate and key files (YaST or third-party) with an eDirectory server certificate and key files.

For more information on how to manually configure OES1 servers to use eDirectory certificates, see NetIQ Certificate Server Administration Guide.