This document (10090786) is provided subject to the disclaimer at the end of this document.
goal
How to renew an expired third party (i.e. Verisign, THAWTE, etc.) Public Key certificate on NetWare 6 and NetWare 6.5
symptom
Public Key certificate in ConsoleOne shows the certificate is expired
Trusted Root certificate is still valid
fact
Novell NetWare 6
Novell NetWare 6.5
Novell Certificate Server
fix
In order to update an expired external Public Key certificate on a NetWare 6 or NetWare 6.5 box, you must do the following. For this example we will use THAWTE (www.thawte.com) as the external company. If you are using a different external company, these steps should not be any different. IMPORTANT: These steps will only work if the new certificate sent to you by the external authority is minted using the same CSR that was originally sent to the company. If the external company requires you to delete the existing SSL certificate in the tree and generate a new one, you will need to follow the steps outlined in TID 10089761 - How to import a Production VeriSign External Certificate into eDirectory 8.7.1
The first step is to export the entire certificate including the Private key to a PFX file. This is done as a backup of the server certificate just in case something goes wrong.
1. Using ConsoleOne, locate the KMO (THAWTE Certificate in the tree). Right click the KMO, properties.
2. Click the Certificates Tab (doesn't matter if you are on the Trusted Root or the Public Key page), select Export.
3. Do you want to export the private key with the certificate? Select Yes, then next. NOTE: If this screen does not appear, you are not logged in as a user with sufficient rights. Verify that you are logged in as the same user that originally created the certificate.
4. The next screen will show the Filename of the Exported KMO with a PFX extension. Enter a password to protect the private key, Select Next>
5. A summary appears. Click Finish. Your KMO should now be exported to a PFX file.
6. Close the ConsoleOne KMO properties screen(s).
IMPORTANT: Before continuing foward, you need to see if the new certificate that was issued includes the Trusted Root certificate. For example, Verisign will normally bundle the Trusted Root certificate with their Public key renewal certificates. To verify this, please do the following:
7. The external company (THAWTE in this example) will have sent you an email with the new Public Key certificate. Open your email client. In the last part of the email body you will see a section that has a header of Begin Certificate followed by many characters that is terminated with a End Certificate line. Highlight and copy all characters between the Begin and End statements including the Begin and End statements as well. Open up Notepad and paste the certificate into a new Notepad document. Select Save As and make sure to change the "Save as type" to "All Files". Give the file a name something like THAWTE_cert and make sure to give it a .DER extension.
Now double-click the new .der file just created and go to the Certification Path tab. If you see two or more certificates listed, then most lilkely the renewed certificate includes the Trusted Root. Highlight the uppermost certificate in the list and click the View Certificate button. You should see a window similar to the one shown below:
It will most likely be issued by a Certification Authority or a Server CA. If this is the case, then skip down to Step 24. If the certificate received from the 3rd party company only contains one certificate then continue to Step 8 below. If you are unsure about whether the new certificate really does contain the Trusted Root, go ahead and still continue to Step 8. It won't cause any problems to follow these steps.
8. Using your file browser, locate the PFX file created in Step 5. Double click this file, which will open the Internet Explorer Certificate Import Wizard. Select Next>
9. The PFX file should be listed. Select Next>
10. Enter the password used in step 4 and Select "Mark this key as exportable. This will allow you to back up or transport your keys at a later time." Select Next>
11. Select Next>
12. Completing the Certificate Import Wizard. Select Finish.
After selecting Finish. You should see "The import was successful." Select OK. Your Public Key and certificates should now be imported into Internet Explorer. To verify, Open Internet Explorer | Tools | Internet Options | Content | Certificates | Personal - your server certificate should appear here.
13. With the Personal tab selected and with your certificate showing up in the list, highlight the certificate and select Remove. You will get a warning message saying that if you delete the certificate, you will not be able to decrypt data encrypted using the certificate. Select YES.
14. Import the new certificate
Find the file created in Step #7 and Double click the file and choose to "Install Certificate"
15. Welcome to the Certificate Import Wizard. Select Next>
16. Certificate Store - Select Next>
17. Select Finish.
After selecting Finish. You should see "The import was successful." Select OK
18. Open Internet Explorer. Tools | Internet options | Content | Certificates | Personal. You should see the new certificate that you just imported. Make sure that the Expiration date is the new expiration date.
19. Highlight the certificate and select Export.
20. Welcome to the Certificate Export Wizard. Select Next>
21. Select "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" and check the box to "Include all certificates". Select Next>
22. File to Export. Specify the name of the file you want to export. Put a file name with no extension. (it will append a .P7B extension) - Select Next>
23. Completing the Certificate Export Wizard.
Select Finish. The export was successful. Select OK. Close Internet Explorer.
In order to import the new certificate into ConsoleOne we need to first delete the old Public Key certificate. Before you delete anything, please perform Steps 1-5 above to create another backup of the entire certificate object.
24. Before you launch ConsoleOne, locate the ConsoleOne\1.2\snapins\Security\PKI.JAR file and physically MOVE the file out of the Security directory onto your Desktop. DO NOT simply rename the file.
25. Launch ConsoleOne and locate the KMO (Certificate Object) in the tree. Right click the KMO | Properties. Verify that the Certificates tab is gone. If it is still there, ConsoleOne is still reading the PKI.JAR file. You will not be able to perform Step 26 if the Certificates Tab is still there. Verify Step 24. Select the Other Tab.
26. Delete the following 3 attributes (NDSPKI:Certificate Chain, NDSPKI:Key File, NDSPKI:Public Key Certificate) by highlighting the attribute and selecting the Delete button. Be sure to Apply the changes before closing the Properties window.
27. Close ConsoleOne and move the PKI.JAR file back into the ConsoleOne\1.2\snapins\Security\ directory.
28. Launch ConsoleOne again and go back to the Properties of the KMO object. Verify that the Certificates tab is available again and select the dropdown arrow on the Certificates tab and select the Public Key Certificate page.
29. You should not see the certificate listed anymore. Instead you should see the Import button in the bottom right corner of the screen. Select Import.
30. Because we chose to include all certificates when we exported the .P7B file from Internet Explorer, check the box for "No Trusted Root Certificate available". Select Next>.
31. On the next screen choose to "Read from file" and browse to the .P7B file that you exported in Step 22.
32. Once the certificate information shows up in the text window, select Finish.
33. Check the validity of the new Public Key certificate for the correct expiration date.
34. Close the KMO properties window to refresh the KMO information. Right click the KMO, select properties. Click the Certificates tab, select the Public Key Certificate and select Validate. (This may take some time as ConsoleOne will need to read the Certificate Revocation List(s) (CRL).
35. Test the new Certificate.
36. If the certificate works correctly, perform Steps 1-5 again so that you have a new PFX backup of the certificate for disaster recovery purposes and store the file in a safe location.
RECOVERY from a failed attempt to replace the certificate
If something does go wrong and the import has somehow corrupted the certificate in the tree, delete the entire KMO object. Then create a new one and specify the correct server and give it a meaningful name. For the Creation Method, choose Import. Select "Read from file" and then specify the .PFX file from Step 4. Enter the password and finish. This will at least bring you back to Steps 1-5 so that you can attempt the procedure again.
.
document
| Document Title: | How to renew an expired third party (i.e. Verisign, THAWTE, etc.) Public Key certificate on NetWare 6 and NetWare 6.5 |
| Document ID: | 10090786 |
| Solution ID: | NOVL95254 |
| Creation Date: | 29Jan2004 |
| Modified Date: | 25Jun2005 |
| Novell Product Class: | Web Services |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.