SSL Certificates expire after two years, affecting OES services

  • 7000075
  • 14-Apr-2008
  • 04-Dec-2013

Environment

Novell eDirectory 8.7.3 for Linux
Novell Open Enterprise Server

Situation

By default, during the install of OES1, the SSL certificates created and used for services have an expiry of 2 years from the install of OES1.

After the SSL certificates are expired, these services fail to work until the SSL certificate is recreated and the service/application has been reconfigured to use the new SSL certificate.

Resolution

Once the SSL Certificate has expired, a new SSL Certificate needs to be created.

To create a new eDirectory SSL Certificate, do the following:
(the following steps assume the use of iManager 2.7 with the latest Certificate Server Plug-ins)

1. Login to iManager 2.7
2. From the Roles and Tasks, expand "Novell Certificate Server". Select "Repair Default Certificates" and follow the Wizard to create new SSL certificates.
3. Once the new SSL certificates are recreated, restart nldap and verify a Secure LDAP connection can be made. (See TID# 7002343 )
4.  After LDAP is running the new Certificate, you need to import the certificate into Linux User Management.   You do this by running a "namconfig -k" , login and then restart namcd with "rcnamcd restart".  

Any other service/application which relies on SSL and LDAPS will need to be reconfigured once the SSL Certificates expire.

NOTE: it is a best security practices to only allow for a 2 year expiration on server certificates due to older crypto method becoming weaker and new ones being released.  However, certificates can be manually created for longer than 2 years.  To do so please refer to the Certificate Server Administration Guide for your version.

Additional Information

Services possibly affected:

* LDAPS - See TID# 7002343
* Linux User Management (LUM) - Run "namconfig -k" to export the newly created LDAP certificate.
* Apache - See TID# 3911570
* Tomcat

The above list does not claim to be a complete listing of OES services affected by expiration of SSL Certificates.