Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR "

(Last modified: 24Nov2004)

This document (10094212) is provided subject to the disclaimer at the end of this document.

fact

Novell NetWare 6.5 Support Pack 1

Novell Certificate Server 2.0

Novell eDirectory 8.7.3 for NetWare 6.5

symptom

Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR "

Trying to import the same certificate via iManager gives " Error: The following error occurred importing the certificate. The Novell Certificate Server plug-in to iManager could not parse the certificate or extract the mandatory elements from the certificate. "

change

Recently purchased a Verisign SSL certificate and attempting to import it and the root ca into a server's kmo object.

cause

Usually when a Certificate Signing Request is being created to send to Verisign the OU= is not used in the subject name.  Example: CN=myserver.mydomain.com.O=headquarters.L=provo.S=utah.C=us

All new certificates being sent from Verisign now contain an OU= in the subject name of the signed certificate returned regardless of whether one was specified in the CSR.  Example: CN=myserver.mydomain.com.OU=Terms of use at www.verisign.com/RPA (c)01.O=headquarters.L=provo.S=utah.C=us

Since the subject name of the signed certificate is different from the subject used in the CSR the import fails with the above errors.

fix

This issue has been resolved in PKI.NLM 2.73 or higher.  Version 2.73 is contained in NetWare 6.5 SP2. It can also be found in the latest security update, presently SECUPD6A.TGZ.

NOTE: You will have to match your server certificate's subject name to match the subject name in the signed certificate. 

1. Open the properties of the object via Console One.  Recommended version to date is 1.36c available on the support site.
2. Click on the Page Options box and disable the Certificates tab in ConsoleOne. Disable - OK - OK - Cancel.
3. Open the object up again -  Go to the Other Tab - Open the Subject Name attribute and change the subject name to match the one in the signed certificate received by Verisign.  (This can be verified by pasting the the signed certificate into Notepad as a filename.cer file.  Then double click on the file - Go to the details page and examine the subject name.)
4.Now we can attempt to re-import the certificate.  First the Certificates tab must be re-enabled.  Open the Page Options -  enable the Certificates page - Enable - OK - OK - Cancel.  Now re-open the properties of the object - Go to the Certificates tab and select import.

Please also see the following TID: Getting a 1232 error during the import.

document

Document Title:	Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR "
Document ID:	10094212
Solution ID:	NOVL98429
Creation Date:	19Aug2004
Modified Date:	24Nov2004
Novell Product Class:	Novell Directory Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.