Backing up and Moving the Tree Certificate Authority

  • 10071751
  • NOVL80204
  • 06-Jun-2002
  • 19-Jan-2004

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.


Backing up and Moving the Tree Certificate Authority


NetWare 6


eDirectory 8.6.2

Certificate Server


With NetWare 6 you now have the ability to export the private key of the CA. This means that you can restore the CA from this file maintaining the same private key so all your other certificates in the tree remain valid. In the past you would have had to re-create all certificates in the tree after creating a new CA.


This is supported with Certificate Server v 2.21 or better. The versions of certificate server shipping with NetWare/eDir are the following:


eDir 8.6.x Solaris/Linux: CertServer 2.20

NetWare 6.0: CertServer 2.21

eDir 8.6.x NetWare/NT: CertServer 2.23


Therefore, backup and restore of the CA is supported with NetWare 6.0 (and above) and 8.6.x (and above) on NetWare and NT. It is not yet supported on Unix. You can only export the CA if it was created with Certificate Server v2.21 or later. This is because versions prior to v2.21 did not set the CA's private key to be extractable from NICI. Thus, for example, if you upgraded from NetWare 5.1 or from eDir 8.5.x and you did not recreate the CA with version 2.21 of Certificate Server or better, it will not be exportable.


Exporting/Backing up the CA

  • Open up ConsoleOne on a workstation logged into the tree.
  • Browse to the Security object (right under the root of the tree).  The tree CA is contained by the Security object, it will be named “TREE-NAME Organizational CA”. Open the properties of that object.
  • Click on the Certificates tab then the Export button.
  • Click yes to export the private key, choose a file name and location for the certificate, enter a password to lock the file, then click finish.

You have now backed up the tree's Organization CA, you may want to copy it onto a disk or burn it to a CD/DVD and put it somewhere safe when complete. This can be used to restore the CA at a later point.



Moving/Restoring the CA

  • Open up ConsoleOne on a workstation logged into the tree.
  • On the destination server open up NWCONFIG and verify that Certificate Server is installed, if not install it from the NetWare 6 CD.
  • Browse to the Security object (right under the root of the tree).
  • Delete the Organizational CA object; it will be named “TREE-NAME Organizational CA”.
  • Right click the Security container, click New then Object. Create a new NDSPKI:Certificate Authority object. Browse and select the destination server as the host server.
  • Name the object “MY-TREE Organizational CA”.
  • Select the import option and click next. Select Read From File and browse to the CA file that you previously exported, click next.
  • Enter the password that you assigned to the file and click finish.
  • Open the properties of the new CA object and click Validate under the Certificates tab to ensure the certificate is valid.

You can also open the properties of other Certificate objects in the tree and test the validity. Those certificates do not have to be re-created, they should work just fine.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.