Moving the Certificate Authority

(Last modified: 29Sep2003)

This document (10065940) is provided subject to the disclaimer at the end of this document.

goal

Moving the Certificate Authority

fact

Certificate Server

NetWare 5.1

Novell NetWare 6.0

fix

In general moving a Certificate Authority (CA) between two servers will only work if the (CA) has been created with NICI 2.1 or higher and Certificate Server 2.20 or higher.

This will most likely be the case if the CA has been created on a Novell NetWare 6.X server. With versions prior to NICI 2.X the private key of the RSA key pair will be stored in the NICI crypto storage in a format which does not allow the private key export. Therefore the CA can not be exported into a PKCS#12 envelope (PFX file). Since NICI 2.X and Certificate Server 2.2X the private key can be stored in a format which will allow an export after it has been created. So if the CA has ot been Created with  NICI 1.X and Certificate server 2.0x the CA can only be re-created but not moved between two servers

Re-create a CA

Conditions:

  • old server stays in the tree
  • new server has been already installed into the tree
  • new server has a valid copy of the Security Domain Key (SDI Key)
  • if the new server is a NetWare 5.1 server
    • apply the latest service pack
    • make sure it runs NICI 2.XX and Certificate Server 2.2X or higher (shipped with eDirectory)
  • new server has a copy of the security container (Root partition or Security Partition root object)
  • make sure your administration workstation runs the latest client NICI, ConsoleOne and Certificate Server Snapins for ConsoleOne Version 2.2X or higher

Steps:

If you would like to keep the same object and subject name write down this information from your old CA object

  1. Delete the old CA object stored in the security container
    Note:  The Certificate Authority (CA) used by a Public Key Infrastructure (PKI) will only be used during the process of issuing certificates. This means services based on existing user and server certificates issued by your tree CA will continue to work after you deleted the CA.  (All KMO objects store a copy of the complete trust chain including the trusted root certificate)
  2. Use ConsoleOne to create a new CA object and assign this object during the creation process to the new server.
  3. Use PKIDIAG on all other servers to create new default KMO objects (replacement mode) To create new server certificates for the remaining 5.1 servers, you can download and run PKIDIAG1.EXE from support.novell.com or if that fails re-install Certificate Server on each server.
  4. Create new user certificates if you are using user certificates which have been issued by your tree CA
  5. If you are using NMAS or iChain add the new trusted root certificate to your Trusted Root Container

Note: Do not delete any of the following objects to re-create a CA

  1. SAS objects
  2. Login Policy Objects (LPO)
  3. Key Access Partition Object KAP and W0 Objects
  4. Security Container
  5. Old user and Server Certificates


 

Move the Certificate Authority (CA)

Conditions:

  • old CA has been created with NICI 2.XX and Certificate Server 2.2X or higher (shipped with eDirectory)
  • old server stays in the tree
  • new server has already been installed into the tree
  • new server has a valid copy of the Security Domain Key (SDI Key)
  • if the new server is a NetWare 5.1 server
    • apply the latest service pack
    • make sure it runs NICI 2.XX and Certificate Server 2.2X or higher (shipped with eDirectory)
  • new server has a copy of the security container (Root partition or Security Partition root object)
  • make sure your administration workstation runs the latest client NICI ConsoleOne and Certificate Server Snapins for ConsoleOne Version 2.2X or higher

Steps:

  1. Use Console one to export the CA into a PKCS#12 envelope (PFX file)
  2. Delete the old CA object
  3. Create a new Ca object and use the import process to read all require information from the created PKCS#12 file

document

Document Title: Moving the Certificate Authority
Document ID: 10065940
Solution ID: NOVL63246
Creation Date: 09Nov2001
Modified Date: 29Sep2003
Novell Product Class:Groupware
NetWare
Novell BorderManager Services
Novell eDirectory
Security Components

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.