Environment
VeriSign Certificate
Novell NetWare 6.5
Novell eDirectory 8.7.3 for All Platforms
Novell Certificate Server 2.x
Novell NetWare 6.5
Novell eDirectory 8.7.3 for All Platforms
Novell Certificate Server 2.x
Situation
How to import an Evaluation VeriSign External Certificate into eDirectory 8.7.3
Resolution
These steps document how to import an evaluation VeriSign external certificate (valid for 14 days) into eDirectory using Novell's Certificate Server. These steps are based on the versions of Certificate Server, ConsoleOne and NICI contained in eDirectory 8.7.3 and NetWare 6.5. It also references the links found on VeriSign's site on the date of this Solution Document.
2.Reload HTTPSTK with the new KMO (Example., load HTTPSTK.NLM /SSL /keyfile:"VerisignCertKMO"
4.Open a browser on a workstation and connect to Remote Manager via SSL ( Example., https: //server_ip:8009 )
5.If you are prompted to accept a certificate then the new KMO is working..
Overview:
1. First a CSR (Certificate Signing Request) must be created. To do so create a KMO (ndspki:Key Material Object) with the appropriate key information. We will then send VeriSign our CSR which they will sign and send back to us. This will be our Signed Certificate.
2. To complete the KMO, two items need to be stored during the import into eDirectory. One is the returned signed certificate referred to in the above step. The second is a Trusted Root. This can either be exported from Internet Explorer or from the vendors web site depending on the vendor. In our test case we will get it from the VeriSign site. Both the CA and Signed Certificate will be imported into the KMO created during the CSR generation procedure.
3. Services need to be configured to use the new KMO.
Together these items complete the certificate chain and allow for the certificate to be validated.
Steps:
A. Creating the CSR in Console One.
1. Make sure the ConsoleOne workstation is using the following:
ConsoleOne 1.3.6 or higher
Certificate Server snapin Version 2 (2.23 Build 34 or higher) Verify by selected Help - About Snapins.
Server NICI 2.6 or higher. Verify with Control Panel - Add/Remove Programs
2. Open ConsoleOne. From the server's container create a new object - NDSPKI:KeyMaterial object.
3. On the first Create Certificate dialog screen select the server this certificate will be tied to. Give it a descriptive name (ie., VeriSign).
4. For Creation Type choose Custom and select Next. On the specify Certificate Authority page select "External Certificate Authority" and select "Next".
5. On the RSA key size screen accept the defaults of 2048 bits and allow private key to be exported then select "Next".
7. While on the Certificate Parameters screen select to use the SHA1 algorithm (strongest authentication).
8. Select "Next" and "Finish". The keys will be generated.
9. Select to save the CSR to the System clipboard in Base64 format and select "Save".
B. Provide VeriSign with the generated CSR.
1. Go to VeriSign's site (www.verisign.com). Select the "Free SSL Trial" link. You can choose whether to save your profile information or not. Select Continue to begin the 6 Step process.
2. You are now presented with a contact information screen. You will receive the signed certificate via the email address you enter here. Fill out the form making sure you enter a valid email address and continue to the next step.
3. The screen labeled "Enter Certificate Signing Request (CSR)" prompts for the CSR to be copied into the text box provided. For the "Select Server Platform" select "Server not listed". Using the mouse left click in this blank text field then press the "Control" and "V" keys simultaneously so the CSR is copied from the clipboard to the CSR field. Click "Continue".
5. The next screen gives you the option to verify what you are about to send. Also add the requested information for the Challenge phrase and question.
1. Make sure the ConsoleOne workstation is using the following:
ConsoleOne 1.3.6 or higher
Certificate Server snapin Version 2 (2.23 Build 34 or higher) Verify by selected Help - About Snapins.
Server NICI 2.6 or higher. Verify with Control Panel - Add/Remove Programs
2. Open ConsoleOne. From the server's container create a new object - NDSPKI:KeyMaterial object.
3. On the first Create Certificate dialog screen select the server this certificate will be tied to. Give it a descriptive name (ie., VeriSign).
4. For Creation Type choose Custom and select Next. On the specify Certificate Authority page select "External Certificate Authority" and select "Next".
5. On the RSA key size screen accept the defaults of 2048 bits and allow private key to be exported then select "Next".
7. While on the Certificate Parameters screen select to use the SHA1 algorithm (strongest authentication).
8. Select "Next" and "Finish". The keys will be generated.
9. Select to save the CSR to the System clipboard in Base64 format and select "Save".
B. Provide VeriSign with the generated CSR.
1. Go to VeriSign's site (www.verisign.com). Select the "Free SSL Trial" link. You can choose whether to save your profile information or not. Select Continue to begin the 6 Step process.
2. You are now presented with a contact information screen. You will receive the signed certificate via the email address you enter here. Fill out the form making sure you enter a valid email address and continue to the next step.
3. The screen labeled "Enter Certificate Signing Request (CSR)" prompts for the CSR to be copied into the text box provided. For the "Select Server Platform" select "Server not listed". Using the mouse left click in this blank text field then press the "Control" and "V" keys simultaneously so the CSR is copied from the clipboard to the CSR field. Click "Continue".
5. The next screen gives you the option to verify what you are about to send. Also add the requested information for the Challenge phrase and question.
6. The next screen gives you a summary and asks you to Accept the Privacy Statement. Click Accept.
6. The next page will say that the order is complete and that the instructions will arrive via email within the hour. You may record the order number for future reference if you want.
C. Acquire the Trial CA Root
This step is only needed for the evaluation certificate. We need to hold two items to complete this certificate: CA Root Authority and Signed Certificate.
Once you have received your email from VeriSign containing the Signed Certificate you are ready to import the Trial CA root (now containing both the Intermediate and CA root chain) and Signed Certificate into the KMO created during the CSR creation. There are two import screens presented during this process. The first requires the Trial CA root file exported from IE. The second requires the Signed Certificate emailed to you from VeriSign.
1. Using ConsoleOne open the properties of the server KMO. Select the Certificates tab - Trusted Root Certificates page - Select Import. Make sure you DO NOT check the box labeled"No Trusted Root Available". You are now at the first import screen ready to import the Trial CA Root. Select Read from File - Point to the GETACERT.CER file from Step C (You may have to select All Files for the file type in order to see the .CER file). Select Open - Next.
2. You are now at the second import screen. It is here that the Signed Certificate received from VeriSign is pasted in. Open your email client. In the last part of the email body you will see a section that has a header of Begin Certificate followed by many characters that is terminated with a End Certificate line. Highlight and copy all characters between the Begin and End statements including the Begin and End statements as well. Back on the ConsoleOne screen left click once in the Certificate Import dialog then simultaneously press the "Control" and "V" keys to paste in the information. Select Finish.
NOTE You may get a -1, -1232 error (0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE) or a message that states the subject names don't match. Often Verisign will modify the subject name in the certificate before signing it and sending it back. The subject name for the certificate in the tree must match that of the signed certificate or else the import will not complete. Please see
6. The next page will say that the order is complete and that the instructions will arrive via email within the hour. You may record the order number for future reference if you want.
C. Acquire the Trial CA Root
This step is only needed for the evaluation certificate. We need to hold two items to complete this certificate: CA Root Authority and Signed Certificate.
Once you have received your email from VeriSign containing the Signed Certificate you are ready to import the Trial CA root (now containing both the Intermediate and CA root chain) and Signed Certificate into the KMO created during the CSR creation. There are two import screens presented during this process. The first requires the Trial CA root file exported from IE. The second requires the Signed Certificate emailed to you from VeriSign.
1. Using ConsoleOne open the properties of the server KMO. Select the Certificates tab - Trusted Root Certificates page - Select Import. Make sure you DO NOT check the box labeled"No Trusted Root Available". You are now at the first import screen ready to import the Trial CA Root. Select Read from File - Point to the GETACERT.CER file from Step C (You may have to select All Files for the file type in order to see the .CER file). Select Open - Next.
2. You are now at the second import screen. It is here that the Signed Certificate received from VeriSign is pasted in. Open your email client. In the last part of the email body you will see a section that has a header of Begin Certificate followed by many characters that is terminated with a End Certificate line. Highlight and copy all characters between the Begin and End statements including the Begin and End statements as well. Back on the ConsoleOne screen left click once in the Certificate Import dialog then simultaneously press the "Control" and "V" keys to paste in the information. Select Finish.
NOTE You may get a -1, -1232 error (0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE) or a message that states the subject names don't match. Often Verisign will modify the subject name in the certificate before signing it and sending it back. The subject name for the certificate in the tree must match that of the signed certificate or else the import will not complete. Please see
TID 3818804 - Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR " for details on how to edit the subject name in eDirectory so that it matches the one in the signed certificate sent by Verisign.
NOTE You may get a -1232 0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE or a message that states the subject names don't match. Often Verisign will modify the subject name in the certificate before signing it and sending it back. The subject name for the certificate in the tree must match that of the signed certificate or else the import will not complete. Please see
TID 3815533 - Importing an external public key certificate fails with error: "-1232 0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE" for details on how to edit the subject name in eDirectory so that it matches the one in the signed certificate sent by Verisign.
2.Reload HTTPSTK with the new KMO (Example., load HTTPSTK.NLM /SSL /keyfile:"VerisignCertKMO"
4.Open a browser on a workstation and connect to Remote Manager via SSL ( Example., https: //server_ip:8009 )
5.If you are prompted to accept a certificate then the new KMO is working.
Additional Information
For imformation on how to import a Production Certificate and other useful TID links please see - TID 3033173
This TID formerly known as TID# 10088935
This TID formerly known as TID# 10088935
NOVL94049