How to upgrade the Organizational Certificate Authority (CA)
(Last modified: 02Feb2004)
This document (10089041) is provided subject to the disclaimer at the end of this document.
goal
How to upgrade the Organizational Certificate Authority (CA)
symptom
Error: "CERTIFICATE AUTHORITY old and not exportable"
Organizational Certificate Authority certificates have expired
Error occurs when exporting the private key of the Certificate Authority
cause
If an Organizational CA is created with PKI.NLM 1.x, the ability of exporting the private key or moving the Organizational CA to a new host server is not available. The only way to get this functionality is to delete the existing Organizational CA and re-create it with the new PKI.NLM (version 2.x or greater)
Some Organizational CA objects were created with a validity period of only 2 years, instead of the more common 10 years. This means they may expire while you are still using the server it was originally created on.
fix
If the Certificate on the Organization CA object (found in the Security container) has expired, then you must delete and recreate the Organizational CA object following steps listed below. Any dependant certificates will also need to be deleted and recreated.
Minimum requirements:
- Cerificate Authority Server (PKI.NLM). PKI 2.2.x or greater is recommended.
The minimum requirements will most likely be met if the CA has been created on a Novell NetWare 6.X server.
Steps to delete and re-create the Organizational CA?
note
Q. What happens when I delete the Organizational CA?
A. Deleting the Organizational CA will remove your ability to sign certificates for any new server certificates you might create.
Conceptually, when you delete the Organizational CA, you are invalidating all certificates that were previously issued by the former Organizational CA.
But since each server certificate object (KMO) stores the complete certificate chain, services using server certificates will continue to work.
The only certificates that need to contact the Organizational CA every time to validate, are user certificates. For every user certificate that was created with the original Organizational CA, new certificates need to be created with the new Organizational CA and re-issued (exported and then imported into whatever application is consuming the certificates).
Q. How do I get all of the new objects in the tree to read the new Organizational CA?
- Simple Passwords and NMAS authentication methods
- KMO and SAS objects for servers in the tree
document
Document Title: | How to upgrade the Organizational Certificate Authority (CA) |
Document ID: | 10089041 |
Solution ID: | NOVL94020 |
Creation Date: | 24Nov2003 |
Modified Date: | 02Feb2004 |
Novell Product Class: | NetWare Novell eDirectory Security Components |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.