Moving the Certificate Authority

  • 10065940
  • NOVL63246
  • 09-Nov-2001
  • 29-Sep-2003

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Goal

Moving the Certificate Authority

Fact

Certificate Server

NetWare 5.1

Novell NetWare 6.0

Fix

In general moving a Certificate Authority (CA) between two servers will only work if the (CA) has been created with NICI 2.1 or higher and Certificate Server 2.20 or higher.

This will most likely be the case if the CA has been created on a Novell NetWare 6.X server. With versions prior to NICI 2.X the private key of the RSA key pair will be stored in the NICI crypto storage in a format which does not allow the private key export. Therefore the CA can not be exported into a PKCS#12 envelope (PFX file). Since NICI 2.X and Certificate Server 2.2X the private key can be stored in a format which will allow an export after it has been created. So if the CA has ot been Created with  NICI 1.X and Certificate server 2.0x the CA can only be re-created but not moved between two servers

Re-create a CA

Conditions:

  • old server stays in the tree
  • new server has been already installed into the tree
  • new server has a valid copy of the Security Domain Key (SDI Key)
  • if the new server is a NetWare 5.1 server
    • apply the latest service pack
    • make sure it runs NICI 2.XX and Certificate Server 2.2X or higher (shipped with eDirectory)
  • new server has a copy of the security container (Root partition or Security Partition root object)
  • make sure your administration workstation runs the latest client NICI, ConsoleOne and Certificate Server Snapins for ConsoleOne Version 2.2X or higher

Steps:

If you would like to keep the same object and subject name write down this information from your old CA object

  1. Delete the old CA object stored in the security container
    Note:  The Certificate Authority (CA) used by a Public Key Infrastructure (PKI) will only be used during the process of issuing certificates. This means services based on existing user and server certificates issued by your tree CA will continue to work after you deleted the CA.  (All KMO objects store a copy of the complete trust chain including the trusted root certificate)
  2. Use ConsoleOne to create a new CA object and assign this object during the creation process to the new server.
  3. Use PKIDIAG on all other servers to create new default KMO objects (replacement mode) To create new server certificates for the remaining 5.1 servers, you can download and run PKIDIAG1.EXE from support.novell.com or if that fails re-install Certificate Server on each server.
  4. Create new user certificates if you are using user certificates which have been issued by your tree CA
  5. If you are using NMAS or iChain add the new trusted root certificate to your Trusted Root Container

Note: Do not delete any of the following objects to re-create a CA

  1. SAS objects
  2. Login Policy Objects (LPO)
  3. Key Access Partition Object KAP and W0 Objects
  4. Security Container
  5. Old user and Server Certificates


 

Move the Certificate Authority (CA)

Conditions:

  • old CA has been created with NICI 2.XX and Certificate Server 2.2X or higher (shipped with eDirectory)
  • old server stays in the tree
  • new server has already been installed into the tree
  • new server has a valid copy of the Security Domain Key (SDI Key)
  • if the new server is a NetWare 5.1 server
    • apply the latest service pack
    • make sure it runs NICI 2.XX and Certificate Server 2.2X or higher (shipped with eDirectory)
  • new server has a copy of the security container (Root partition or Security Partition root object)
  • make sure your administration workstation runs the latest client NICI ConsoleOne and Certificate Server Snapins for ConsoleOne Version 2.2X or higher

Steps:

  1. Use Console one to export the CA into a PKCS#12 envelope (PFX file)
  2. Delete the old CA object
  3. Create a new Ca object and use the import process to read all require information from the created PKCS#12 file

Feedback service temporarily unavailable. For content questions or problems, please contact Support.