Troubleshooting steps for SSL Certificates, Organizational CA, and Certificate Server.
(Last modified: 09Sep2004)
This document (10094253) is provided subject to the disclaimer at the end of this document.
Novell NetWare 5.1
Novell NetWare 6.0
Novell NetWare 6.5
Certificate Authority (CA)
Troubleshooting steps for SSL Certificates, Organizational CA, and Certificate Server.
How do I recreate my Certificate Authority?
How do I reinstall Certificate Server?
CRITICAL: BEFORE CONTINUING ON MAKE SURE YOUR READ THIS DOCUMENT IN ITS ENTIRETY.
SECTION I -- Testing your certificates and your Certificate Authority
WARNING: If NICI (Novell International Cryptographic Infrastructure) is corrupt/missing, you will have NICI errors in exporting CA, creating KMOs (SSL Certificates), et cetera. Search the knowledgebase for errors you encounter to see if they are NICI related.
This is a simple, quick test you can perform to make sure the certificates you are creating are valid--which in turn tells you whether or not your Certificate Authority is working properly. ConsoleOne is just one of the tools you can use. Keep in mind that iManager is another option.
Perform the following:
Under ConsoleOne highlight the Organization or Organizational Unit that you server object resides in. Click FILE > NEW > OBJECT > NDSPKI: Key Material object. Assign it to a server and select standard options. Give it a simple name, such as "test" Watch for errors when clicking NEXT and FINISH during the process of creation.
By default we will rename the certificate to "test - SERVERNAME" Ignore that and just remember what you called the certificate by (IE test). There is a following step that IS case sensitive, so pay attention to your case.
m nile (this will tell you if nile is loaded--it must be in order for this to work. If it is not then check your AUTOEXEC.NCF as it should be loading it. See notes for an example from a Novell NetWare 6.0 server)
If nile is not loaded correct your autoexec.ncf and restart your server.
load httpstk.nlm /SSL /keyfile:"NameOfCertificate" (watch for errors when loading this on both the console screen and logger screen (logger screen for NetWare 6.x and above). This is the case sensitive step).
To validate it (if you didn't receive any errors) you can check three things:
1. TCPCON > PROTOCOL INFORMATION > TCP > Hit ENTER on TCP CONNECTIONS. Look for ports 8008 and 8009 and check to make sure they are listening.
2. Open a web browser and type the following: http://IPAddressOfServer:8008 This will redirect you to https://IPAddressOfServer:8009 (8009 is the secure port) if is working correctly. You should be presented with the certificate.
3. To test against secure LDAP please refer to TID 10075010
If it fails look for the errors and search for them in the knowledgebase, or contact Novell technical support for additional help.
SECTION II -- Recreating your Certificate Authority
If you fail to create a certificate or fail to load it after creating one, your Certificate Authority may be corrupt/expired. (NOTE: If the CA resides on a NetWare 6.x server or above you can export the trusted root certificate--recommended).
To export the public key certificate do the following:
Go into the properties of the Organizational CA object in ConsoleOne. Go to the CERTIFICATES tab and make sure you are on the PUBLIC KEY CERTIFICATE. There is an EXPORT button at the bottom of the Properties box. Export it WITH the private key. Keep all default options when exporting the certificate. With this file we can recreate your current CA so that it works with your current KMO objects. If the export fails, it is possible that the CA must be removed and recreated. There will be other objects that must be created as well if the public and private keys can not be extracted. If this happens, the following link MUST be read before removing the CA.
How to upgrade the Organizational Certificate Authority (CA) - TID10089041 (see NOTES section).
Recreating the CA is fairly easy. Highlight the SECURITY container and find the TREENAME Organizational CA object. Pay attention to the naming convention. Highlight and delete the Organizational CA object ONLY. Then highlight the SECURITY container and go to FILE > NEW > OBJECT > NDSPKI: Certificate Authority. Make a server assignment, name your CA object, choose STANDARD options. If this recreates fine without any errors go back to SECTION I and try making and testing another certificate. If it works, great! You will need to run PKIDIAG on the servers in your tree (this will check and recreate your SSL certificates on the servers based on the new CA). If it fails you may need to reinstall Certificate Server (SECTION III).
Occasionally you will have a valid Certificate Authority object but it will be missing its host server attribute. If that is the case do the following:
Go into the PROPERTIES of the Certificate Authority object. Down in the bottom-left corner go into PAGE OPTIONS. Disable the GENERAL and CERTIFICATES tabs and close the properties box and reopen it. After reopening it go to the OTHER tab (disabling the tabs lets you see more attributes on the OTHER tab). Look at the HOST SERVER attribute and see if you have a server assigned. If not browse to one and assign it.
NOTE: The above suggestion should ONLY be used IF you are certain that the server that you specify is the SAME server that created the CA and that the server has the exact SAME NICI keys that it did when the CA was created or the CA will still be broken.
SECTION III -- Reinstalling Certificate Server
If the above did not resolve the issue, Certificate Server will need to be reinstalled. To do this, go into ConsoleOne, delete (see warning below) the SSL CertificateIP, SSL CertificateDNS, and SAS SERVICE- ServerName objects (for the server hosting the Organizational CA). First, insert your CD-ROM into the drive and mount the drive (IE CDROM, CD9660, CDDVD). Type VOLUMES to make sure you see the CD-ROM. Then, go into NWCONFIG and reinstall Certificate Server from off the 5.1 Overlay CD OR for 6.x servers go into the STARTX GUI > NOVELL > INSTALL > ADD > Follow the instructions. The only product you need to install is Certificate Server. After Installation try SECTION I again. After re-creatiing the CA, it is advisable to recreate any trusted root containers in the directory. You should also re-export the Trusted Root Certificate from the SSL CertificateDNS object and place the file in the SYS:\PUBLIC directory, replacing the one that is there.
If this step is required, the following link MUST be read before removing the CA. How to upgrade the Organizational Certificate Authority (CA) - TID10089041 (see NOTES section).
NOTE: THIS TID IS FOR GENERIC TROUBLESHOOTING STEPS. IT DOES NOT TAKE INTO ACCOUNT ANY SPECIAL CIRCUMSTANCES THAT YOU MAY HAVE. IT DOES NOT INCLUDE EXTENSIVE DETAIL. IF YOU ARE AT ALL HESITANT TO TRY ANY OF THESE STEPS FEEL FREE TO CONTACT NOVELL FOR FURTHER INSTRUCTIONS. There are many other TIDS dedicated to troubleshooting Certificate Server problems. Below is a GENERIC EXAMPLE AUTOEXEC.NCF from a NetWare 6.0 Support Pack 3 Server:
### Added by NSS Patch Installation ... Opportunistic Locking set parameter(s)
SET LEVEL 2 OPLOCKS ENABLED = ON
SET CLIENT FILE CACHING ENABLED = ON
SET BINDERY CONTEXT = OS
SET TIME ZONE = MST7MDT
SET DAYLIGHT SAVINGS TIME OFFSET = 1:00:00
SET START OF DAYLIGHT SAVINGS TIME = (APRIL SUNDAY FIRST 2:00:00 AM)
SET END OF DAYLIGHT SAVINGS TIME = (OCTOBER SUNDAY LAST 2:00:00 AM)
# Note: The Time zone information mentioned above
# should always precede the SERVER name.
SEARCH ADD SYS:\JAVA\NWGFX
SEARCH ADD SYS:\JAVA\NJCLV2\BIN
FILE SERVER NAME <SERVER NAME>
# If you change the name of this server, you must update
# all the licenses that are assigned to this server. Using
# NWAdmin, double-click on a license object and click on
# the Assignments button. If the old name of
# this server appears, you must delete it and then add the
# new server name. Do this for all license objects.
load conlog maximum=100
SEARCH ADD SYS:\JAVA\BIN
; Network driver LOADs and BINDs are initiated via
; INITSYS.NCF. The actual LOAD and BIND commands
; are contained in INITSYS.NCF and NETINFO.CFG.
; These files are in SYS:ETC.
#LOAD TCPIP FORWARD=NO
#LOAD 3C90XC.LAN SLOT=10009 FRAME=ETHERNET_II NAME=3C90XC_1_EII
#BIND IP 3C90XC_1_EII addr=IPADDRESS mask=NETMASK gate=GATEWAY
load httpstk.nlm /SSL /keyfile:"SSL CertificateIP"
LOAD NICISDI.XLM s
# Storage Management Services components required for Backup
SEARCH ADD SYS:\TOMCAT\33\BIN
#Apache is now the NetWare Web Manager server
SEARCH ADD SYS:\APACHE
# -- Added by AFP Install --
# -- End of AFP Install --
# -- Added by CIFS Install --
# -- End of CIFS Install --
#---Added By Native File Access For Unix---
#---Added By Native File Access For Unix END---
#RCONAG6.NLM is required by RConsoleJ
#LOAD RCONAG6 PASSWORD 2034 16800 2036
#iSCSI - start
# ? ISCSINIT CONNECT <IPADDRESS>
# ;COMMENT Cluster Services - start
# Start the VLDB Services
|Document Title:||Troubleshooting steps for SSL Certificates, Organizational CA, and Certificate Server.|
|Novell Product Class:||Netware|
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.