Renewing Root CA for Novell NetWare 6.5 SP8
I have a couple of Novell NetWare 6.5 SP8 servers that simply refuse to die. One of them can be quantum dated back to 2004, the other one dates back to 2008. Last night the Root CA expired, rendering LDAP services unavailable. Luckily, I had prepared for this event.
TID 7013047 tell us how to delete the old and create a new CA. TID 7006567 tell us how to recreate the server certificates.
I used the iManager approach, and performed these steps.
- iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority | Next | Certificates | Select ALL certificates | Select Validate.
- If the Certificate status shows Invalid or Expired, then proceed with the following section to renew the CA.
- iManager | Roles & Tasks | Directory Administration | Delete Object | Browse to and Select the CA object located in the Security container.
- iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority.
- Browse and select the server to host the new CA and provide a name for the object. Note: This can be any name, but was originally called
CA by default. - Select Next, Accept the Defaults, Finish.
- Go into iManager.
- Go ‘Novell Certificate Server’.
- Choose ‘Repair Default Certificates’.
- Choose for your tree one or more servers that need the certificates to be repaired/renewed and click on OK.
- Click on Next.
- Select ‘Yes All Default Certificates will be overwritten’ and click on ‘Next’.
- Click on ‘Finish.’
- When this process is completed, click on ‘Close’.
What neither TID told me was to export the new Root CA and overwrite SYS:/PUBLIC/RootCert.cer
on every server.
- iManager
- Roles & Tasks
- Novell Certificate Server
- Configure Certificate Authority
- Next
- Certificates
- Select Organizational CA
- Export
- Select Organizational CA
- Uncheck Export private key
- Next
- Save the exprted certificate
- Save the certificate as
SYS:/PUBLIC/RootCert.cer
on one of the servers. - Copy
SYS:/PUBLIC/RootCert.cer
to all the other servers.
After rebooting each of the servers, it became necessary to run tckeygen.ncf
from the console. I rebooted each server a second time, just to be sure.
On our FreeBSD servers it was necessary to import the new Root CA, and restart the nscd
and the nslcd
services.
The Root CA will expire again in 10 years, and the server certificates will expire in 2 years. All is well. However, I wonder why we can’t influence the validity periods for our certificates.
ochen zdorovo
worked perfectly, many thanks for this!!!
so sad had to reboot novell after 898 days up.