The DNS address in KMO SSL CertificateDNS does not match the default DNS address for the server
(Last modified: 30Dec2002)
This document (10073066) is provided subject to the disclaimer at the end of this document.
fact
PKIDIAG.NLM
Novell Certificate Server
SSL CertificateDNS
SSL CertificateIP
symptom
The DNS address in KMO SSL CertificateDNS does not match the default DNS address for the server
The IP address in KMO SSL CertificateIP does not match the default IP address for the server
Using PKDIAG.NLM to verify and Certificate problems and noted the following error:
The DNS address in KMO SSL CertificateDNS does not seem to match the default DNS address for the server
Previously the value in the address field was the IP address of the server. Afterward the value is the DNS name for the server. ie ".o=org.cn=servername" vs "10.9.8.7"
Browser Security Alert dialog Server Certificate information does not match the server's DNS or IP
fix
The value here is the "Subject name" value of the Certificate being checked
1. Using Console One select the properties of the SSL CertificateDNS
2. Select the Certificates tab
3. Select the Public Key Certificate properties
The "Subject name" field is the value that you are seeing before and after PKIDIAG.NLM is run. The origin of the IP address value here for the SSL CertificateDNS comes during the original install of the server. If a reverse DNS lookup for the server IP address failed during the install, this value would be populated with the IP address of the server. The lookup failure would occur if the DNS tables were not populated with this server's A record and the reverse entry or the DNS server was not reachable during the installation. If proper DNS entries for the server and the reverse lookup entry existed (the IN-ADDR-ARPA tables) then the DNS name would have been entered in the SSL CertificateDNS Subject name value. You can check the SSL CertificateIP to see the Subject name value with an IP address.
PKIDIAG now checks this information and will also use the SYS:\etc\hostname file to check the correct values for these certificates. The error noted above will occur if DNS entries now exist, the hostname file is setup or DNS names have changed since the server was first installed. The DNS value can be forced using the /DNS flag on the PKIDIAG command line. This option allows you to force a particular value for the Subject name of the SSL Certificate. The /IP flag also allows the same for the Subject name on the SSL CertificateIP.
This all comes into view for end users is when the certificates are used by services such as web servers that use these Certificates. Browsing to a server for management by Novell Remote Manager will usually result in a Security Alert dialog that identifies a Certificate that the browser does not trust. This is especially true if using the Novell Certificate Server as Certificate Authority for the Tree. Check the properties of the certificate presented to the Browser reveals the Subject name of the Certificate in use. If the server was setup without proper DNS entries originally, then the Certificate information will be only the IP address. This is often not very useful to end users. The Server name will usually be more informative for them. Another danger here is for a server that was setup and then had the IP and/or DNS information changed without the SSL Certificate Subject name values being updated. The information presented in the Security Alert in these situations will not match the actual server information.
The SSL Certificates will work regardless of the Subject name value. It is essentially information only. For practical purposes and end user comfort (ie. fewer help desk and support calls) it is best to make sure that this information is updated properly when server IP and DNS changes occur. PKIDIAG.NLM is very useful in correcting this information. Using the /DNS and /IP switches the correct information can be provided when dealing with these two Certificates. (Type PKIDIAG /? for all options)
document
| Document Title: | The DNS address in KMO SSL CertificateDNS does not match the default DNS address for the server |
| Document ID: | 10073066 |
| Solution ID: | NOVL81280 |
| Creation Date: | 30Jul2002 |
| Modified Date: | 30Dec2002 |
| Novell Product Class: | NetWare Novell BorderManager Services Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.