I have a couple of Novell NetWare 6.5 SP8 servers that simply refuse to die. One of them can be quantum dated back to 2004, the other one dates back to 2008. Last night the Root CA expired, rendering LDAP services unavailable. Luckily, I had prepared for this event.

TID 7013047 tell us how to delete the old and create a new CA. TID 7006567 tell us how to recreate the server certificates.

I used the iManager approach, and performed these steps.

  1. iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority | Next | Certificates | Select ALL certificates | Select Validate.
  2. If the Certificate status shows Invalid or Expired, then proceed with the following section to renew the CA.
  3. iManager | Roles & Tasks | Directory Administration | Delete Object | Browse to and Select the CA object located in the Security container.
  4. iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority.
  5. Browse and select the server to host the new CA and provide a name for the object. Note: This can be any name, but was originally called CA by default.
  6. Select Next, Accept the Defaults, Finish.
  7. Go into iManager.
  8. Go ‘Novell Certificate Server’.
  9. Choose ‘Repair Default Certificates’.
  10. Choose for your tree one or more servers that need the certificates to be repaired/renewed and click on OK.
  11. Click on Next.
  12. Select ‘Yes All Default Certificates will be overwritten’ and click on ‘Next’.
  13. Click on ‘Finish.’
  14. When this process is completed, click on ‘Close’.

What neither TID told me was to export the new Root CA and overwrite SYS:/PUBLIC/RootCert.cer on every server.

  1. iManager
  2. Roles & Tasks
  3. Novell Certificate Server
  4. Configure Certificate Authority
  5. Next
  6. Certificates
  7. Select Organizational CA
  8. Export
  9. Select Organizational CA
  10. Uncheck Export private key
  11. Next
  12. Save the exprted certificate
  13. Save the certificate as SYS:/PUBLIC/RootCert.cer on one of the servers.
  14. Copy SYS:/PUBLIC/RootCert.cer to all the other servers.

After rebooting each of the servers, it became necessary to run tckeygen.ncf from the console. I rebooted each server a second time, just to be sure.

On our FreeBSD servers it was necessary to import the new Root CA, and restart the nscd and the nslcd services.

The Root CA will expire again in 10 years, and the server certificates will expire in 2 years. All is well. However, I wonder why we can’t influence the validity periods for our certificates.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>