You can import certificates created by an external certificate authority. These certificates then need to be assigned to a device by adding the certificate to the device’s keystore. The subject name of the certificate needs to match the DNS name of the device, or if you are using wildcard certificates, the main domain name needs to match. You can perform the following certificate tasks:
The Certificate Details page lists the properties of a certificate, such as certificate type, name, subject, and assigned keystores. The fields are not editable.
In the Administration Console, click
> .Select one of the following:
Click the name of a certificate that is not in a CSR Pending state. The Certificate Details page contains the following information about the certificate:
Click the name of a certification in a CSR Pending state. The following information is displayed:
(Conditional) For a certificate not in a CSR Pending state, select one of the following actions:
Renew: Allows you to renew the certificate. For more information, see Section 3.3.3, Renewing a Certificate.
Export Private/Public Keypair: Allows you to export private certificates to obtain a backup copy of the key, to move the key to a different server, or to share the key between servers. For more information, see Section 3.3.4, Exporting a Private/Public Key Pair
Export Public Certificate: Allows you to export a public key certificate to a file. For more information, see Section 3.3.5, Exporting a Public Certificate.
Add Certificate to Keystores: Allows you to assign the certificate to keystore so it can be used by Access Manager. For more information, see Section 3.3.2, Adding a Certificate to a Keystore.
(Conditional) For a certificate in a CSR Pending state, select one of the following actions:
Import Signed Certificate: Allows you to import the certificate that was generated for this request. For more information, see Section 3.2.5, Importing a Signed Certificate.
Export CSR: Allows you to export the CSR to a CSR file.
After importing a certificate, you need to assign the certificate to keystore before it is used by Access Manager.
In the Administration Console, click
> .Select a certificate.
Click
> .Specify the keystore to which you are adding the certificate. To locate a keystore:
Click the
button.For a description of the Access Manager keystores, see Section 3.1.3, Access Manager Keystores.
On the Keystore Details page, select the keystore, then click
.Fill in the following fields:
Alias: Specify the certificate alias.
Overwrite keys with same alias: Select whether to overwrite certificates with the same alias, if the alias you specify is already in use in that keystore.
Click
.Update the device or devices that are using this keystore.
NOTE:For problems related to failures in adding certificates to a keystore and for validating the cross device-existence of the Trusted Root of the certificates present in a particular keystore, see Section 7.3, Troubleshooting Options for Certificate Problems.
The Certificate Details page lists the properties of a certificate, such as certificate type, name, subject, and assigned keystores. This page also includes the original CSR when the certificate is still in a pending state (for example, you have generated the CSR, but you have not yet received and imported the signed certificate). If the certificate is expiring, you can cut and paste its text to send it to the CA to get a renewed certificate, then import the newly signed certificate.
For the certificates that Access Manager uses internally, a certificate process is started with Tomcat. This process runs once every 24 hours. It checks all the internal certificates and determines if they are going to expire within 30 days. If they are due to expire, the process automatically regenerates the certificate or trusted root. When a certificate is regenerated, the following message appears:
One or more automatically created certificates were regenerated. Reboot the entire administration console as soon as possible to avoid interruption of service.
This message appears when the administrator logs into the Administration Console, or if the administrator is already logged in, when the administrator switches from one page to another.
This event is also auditing. Another audit event is also generated which tells the administrator to restart any effected services. When the Administration Console certificate and the eDirectory certificates are expiring, a log entry is written to the app_sc log file. The log entry contains the “Recreating auto-generated certificates” string as well as a couple success or failure messages per key re-generated.
Certificates and trusted roots that are manually created with the Access Manager CA or are imported into Administration Console use a different process. The administrator is warned that these certificates are expiring when the administrator logs in to the Administration Console. The following message is displayed:
Warning: the following certificates are expired or will expire within X days: <certA>, <certB>.
This message is displayed each time the administrator logs into the Administration Console. Events for the expiration of these certificates are not audited and are not logged.
To renew a certificate:
In the Administration Console, click
> .Click the certificate name.
Click
.On the Renew page, either browse to locate and select the certificate or select the
option and paste the certificate data into the text box.Click
.Update the device using the certificate.
When you create a certificate, you can specify whether it is exportable. If a key is exportable, it can be extracted and put in a file along with the associated certificate. The file is written in an industry standard format, PKCS#12, which allows it to be transported to other platforms. It is encrypted with a user-specified password to protect the private key.You can export private certificates to obtain a backup copy of the key, to move the key to a different server, or to share the key between servers.
You cannot export a certificate if you enabled the
while creating the certificate.In the Administration Console, click
> .On the Certificates page, click the certificate.
On the Certificate Details page, click
.Select the format for the key:
PFX/PKCS12: Public Key Cryptography Standards #12 (PKCS#12) format, which is also called PFX format. This format can be used to create JKS or PEM files.
JKS: Java keystore format.
Specify the password in the
password field, then click OK.IMPORTANT:Remember this password because you need it to re-import the key.
Click
.You can export a trusted root or a public key certificate to a file so that a client can use it to verify the certificate chain sent by a cryptography-enabled application, or to have a backup copy of the file.
You can export the certificate in the following formats:
DER-encoded (.der) to a file.
PEM-encoded to a file. This is a Base64-encoded DER certificate that is enclosed between the BEGIN CERTIFICATE and END CERTIFICATE tags.
PEM CUT/Paste Buffer. This displays the certificate data so you can copy it to the system Clipboard. You can then pasted it directly into a cryptography-enabled application.
To export the public certificate:
In the Administration Console, click
> .Click the certificate name.
On the Certificate Details page, click
, then click the file type.Save the output file to the location of your choosing.
If you created a key pair that was exported from another certificate management system, you can import the key pair and then assign it to an Access Manager device. The file needs to be in PFX/PKCS12 (*.pfx or *.p12) format.
In the Administration Console, click
> .Choose
> .Fill in the following fields:
Certificate name: The name of the certificate. This is a system-wide, unique name used by Access Manager. The name must contain only alphanumeric characters and no spaces. If the name starts with a number, an underline (_) prefix is added to the name so that the name conforms to XML requirements. If the name contains invalid characters, it is automatically renamed.
Keystore password: Type the encryption/decryption password established when exporting the certificate.
Certificate data file (PFX/PKCS12): The certificate file to import. You can browse to locate the *.pfx or *.p12 file.
Certificate data file (JKS): To locate a JKS file, select this option, then click the
button.Click
.If you receive an error when importing the certificate, the error comes from either NICI or PKI. For a description of these error codes, see Novell Certificate Server Error Codes and Novell International Cryptographic Infrastructure. For general certificate import issues, see Section 7.1.1, Importing an External Certificate Key Pair.
Continue with Adding a Certificate to a Keystore.
You can view the status of the commands that have been sent to the certificate server for execution.
In the Administration Console, click
> , then click .Use the following options to review or change a server’s certificate command status:
Delete: To delete a command, select the check box for the command, then click
. The selected command is cleared.Refresh: Click
to update the current cache of recently executed commands.Name: Click this box to select all the commands in the list, then click
or .The following table describes the features on this page:
To review command information, click a link under the
column.This page displays status information about the command and allows you to perform the following tasks:
Refresh: Select this option to refresh the data for this command.
Delete: Select this option to clear this command.
The following command information is listed:
Name: Specifies the display name that has been given to the command.
Type: Specifies the type of command.
Admin: Specifies whether the system or a user issued the command. If a user issued the command, the field contains the DN of the user.
Status: Specifies the status of the command, and includes such states as
, , , and .Last Executed On: Specifies when the command was issued. The date and time are displayed in local time. If the command failed, additional information is available.
For a command that the Administration Console can successfully process, the page displays a
section with the name of the command and the command results.Click
.The Keystore Details page allows you to view associated cluster member keystores and to replace certificates associated with the keystore.
Not all keystores are associated with a cluster configuration. Those that are (for example, the Signing and Encryption keystores) display the following information:
Some keystores require a single certificate, so you can only replace the certificate. Other keystores can contain multiple certificates. In this type of keystore, you can add and remove certificates.
To view a keystore:
In the Administration Console, click
.Click the down-arrow in the
column, then select a keystore.To remove a certificate, select the certificate, then click
.This option is not available for all keystores.
To add or replace a certificate:
Click either
or .Fill in the following fields:
Certificate: Specifies the certificate you want to add. You can browse to locate the certificate. When you browse, the system displays the Select Certificate page. Select the certificate, then click
.Alias(es): Specifies the certificate alias. This name is displayed among the list of certificates assigned to the keystore.
Overwrite keys with the same alias: (If available) Select if you want only one certificate with the specified alias in the keystore.
Click
.Click
.