This document (10092318) is provided subject to the disclaimer at the end of this document.
fact
Novell NetWare 6.5
PKIDIAG.NLM Version 2.70 December 9, 2003
symptom
ERROR -1211 creating SSL CertificateDNS
ERROR -1211 creating SSL CertificateIP
-1211 - DS_T_PKI_E_UPDATE KMO 0xFFFFFB45 PKI E UPDATE KMO
fix
Delete SAS Service Object and KMO objects associated with the server in question.
Run PKIDiag once again.
cause
The server in question was originally installed in to a separate eDirectory tree.
An eDirectory DIB was taken from a production server and restored on to this server, effectively inserting it in to the production eDirectory tree.
note
Server Certificate Object is an eDirectory object that contains the public key, private key, certificate, and certificate chain.
It is also known as a Key Material object (KMO), and the NDS schema name is NDSPKI:Key Material.
The private key is stored in the Server Certificate object in encrypted form.
A server can own many Server Certificate objects.
Any cryptography-enabled applications running on a particular server that require keying material for their operation can be configured to use any one of the Server Certificate objects that the server owns.
All Server Certificate objects must be owned by a server. Ownership of the Server Certificate object cannot be changed or transferred.
Each server links to the appropriate Server Certificate objects so that the server's certificates can be used by cryptography-enabled applications.
COPY OF SYS:\ETC\CERTSERV\REPAIR.LOG
---------------------------------------------------------------------------
PKIDiag 2.70 -- (compiled Dec 09 2003 19:46:03).
(Check the end of the log for the last repair results)
Current Time: Mon Apr 5 18:49:18 2004
User logged-in as: admin.novell.
Fixing mode
Rename and create mode
Rename and create when necessary
--> Server Name = 'SERVER6'
---------------------------------------------------------------------------
Step 1 Verifying the Server's link to the SAS Service Object.
Server 'SERVER6.Services.NOVELL' points to SAS Service object 'SAS Service - SERVER6.Services.NOVELL'
Step 1 succeeded.
Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - SERVER6.Services.NOVELL' is backlinked to server 'SERVER6.Services.NOVELL'.
Step 2 succeeded.
Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SERVER6.Services.NOVELL'.
--->KMO SSL CertificateIP - SERVER6.Services.NOVELL is linked.
--->KMO SSL CertificateDNS - SERVER6.Services.NOVELL is linked.
Step 3 succeeded.
Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateIP - SERVER6.Services.NOVELL'.
Rights check -- OK.
Back link -- OK.
Private Key -- Failed.
---> Testing KMO 'SSL CertificateDNS - SERVER6.Services.NOVELL'.
Rights check -- OK.
Back link -- OK.
Private Key -- Failed.
.
.
.
.
---> Testing KMO 'SSL CertificateDNS - SERVER3.Services.NOVELL'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.
---> Testing KMO 'SSL CertificateIP - SERVER3.Services.NOVELL'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.
.
.
.
Step 4 succeeded.
Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - SERVER6.Services.NOVELL'.
PROBLEM: Cannot use private key for KMO 'SSL CertificateIP - SERVER6.Services.NOVELL'. It should be probably be unlinked and deleted.
Fix -- Successfully removed the link to KMO 'SSL CertificateIP - SERVER6.Services.NOVELL'. You should probably delete it.
PROBLEM: Cannot use private key for KMO 'SSL CertificateDNS - SERVER6.Services.NOVELL'. It should be probably be unlinked and deleted.
Fix -- Successfully removed the link to KMO 'SSL CertificateDNS - SERVER6.Services.NOVELL'. You should probably delete it.
Step 5 succeeded.
Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: 192.168.100.10
PROBLEM: A SSL CertificateIP does not exist
FIXING: Creating SSL CertificateIP (192.168.100.10)
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
ERROR -1211 creating SSL CertificateIP.
--> Number of Server DNS names for the IP address 192.168.100.10= 1
--> The server's default DNS name is:
SERVER6.Services.NOVELL
PROBLEM: A SSL CertificateDNS does not exist
FIXING: Creating SSL CertificateDNS (SERVER6.Services.NOVELL)
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
Pausing for 5 seconds because of error -1211
ERROR -1211 creating SSL CertificateDNS.
Step 6 failed -1211.
Note: Occasionally multiple problems will be solved with a single fix.
Fixable problems found: 4
Problems fixed: 2
Un-fixable problems found: 0
.
document
| Document Title: | ERROR -1211 creating SSL CertificateDNS |
| Document ID: | 10092318 |
| Solution ID: | NOVL96345 |
| Creation Date: | 06Apr2004 |
| Modified Date: | 06Apr2004 |
| Novell Product Class: | Netware |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.