Basic troubleshooting steps for certificate server problems

  • 10075982
  • NOVL83304
  • 24-Oct-2002
  • 24-May-2004

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.


Basic troubleshooting steps for certificate server problems


Novell Apache 1.3.26

Novell Apache 1.3.27

Novell NetWare 5.1

Novell NetWare 6.0


Troubleshooting methodology:

1)  Check to see if you can get an SSL connection through a remote manager (Netware 6) / management portal (Netware 5.1) connection from your web browser to your server.   This is achieved by hitting the management portal  on the public port.   The address is HTTP://SERVER_IP:8008.  Then log in, and note if the http statement changes to https and that the port changes to 8009.   If when you log in but still get 8008,  you have SSL problems.

Assuming this is the case, verify that the management portal modules are loaded.   They are:   NILE.NLM, HTTPSTK.NLM, and PORTAL.NLM.  

Verify that the HTTPSTK module loads successfully with the following switches:   "LOAD HTTPSTK /SSL /keyfile:"SSL CertificateIP".  Check this on Netware 6 by scrolling up the logger screen until you see the first load statement for the HTTPSTK module.   In Netware 5.x, unload the module in order to reload it.   This will have several dependent modules which will have to be unloaded also.  

If HTTPSTK.NLM loads successfully with the additional two switches (/ssl and /keyfile), as well as the other two modules (NILE and PORTAL), then attempt to hit this server on its secure port, by hitting  HTTPS://SERVER_IP:8009.     If this fails, then you may have certificate server problems; if not, you have configuration problems, totally unrelated to certificate server, but maybe related to the certificate  or port that these applications utilize.

2)  Assuming there are certificate server problems,  then run PKIDIAG.NLM on the server.   This module is downloadable from the website, selecting the patches and files link.   Search for the actual file, and you will find a stand-alone file.  

Copy this into the SYS:SYSTEM directory, then run it.  It will require admin login.   At that point, it will pull up a primitive menu option list.   Select option 4, which toggles the mode to FIX.   Then select option 0, which will run the repairs.   When it completes, look at the number of errors found, and the number of errors fixed.   If not all errors are fixed, review the errors listed.   You may have SSL objects that are not successfully created.   

3)  If all errors are reported as being corrected, then run the portal test again.  

If not all errors are corrected, then test again, this time testing the validity of the certificate authority.  

Check the certificate authority by attempting to create a certificate for that server.   To determine which server is the certificate authority, go to ConsoleOne, browse the security container at the root of the tree, and look for the TREENAME Organizational CA object.   View the properties of this object, and note in the general tab which server is listed as the host server.    This server is the certificate authority.  

Go to the container where this server object is found, highlight the container, right click on it, select NEW > OBJECT > NDSPKI: Key Material.   You will need the client version of NICI, 2.4.2 or later, on your workstation running console one.   This is found at the website, under the product name select Novell International Cryptographic Infrastructure.    Download and install this on your client. 

Once you are ready, select the server you want to apply this certificate to (i.e. the certificate authority server), then name the certificate.   Allow for the standard method of certificate creation, and select NEXT.   Then at the next window, select FINISH.   If you get blank screens, or the install hangs, you have either client NICI problems or a console one snap in problem.      If you get an error message, after selecting FINISH, then you have either certificate server problems or NICI problems, depending on the error message.   Certificate server errors start with -12xx, and NICI problems start with error number -14xx.

If you get error messages here, then your certificate authority is damaged, which means no other server in the tree will be able to create SSL certificates.   The SSL certificates already present, if functional, will continue to function.  

If this server's certificate server is broken, all other servers with certificate server are essentially broken in the same fashion.   No new certificates will be created.   The method of repairing this is to remove all instances of certificate server from the entire tree (namely all  SSL and SAS objects), as well as the Organizational CA object found in the Security container, and reinstall certificate server on the server that you want to be the Certificate Authority.  It is not necessary to reinstall Certificate Server on all the other servers in the tree, however, you will need to delete the SAS and SSL certificates for the other servers in the tree and recreate them using PKIDIAG.  PKIDIAG can be downloaded from and is included with NetWare 6.5 SP1a.  Simply load PKIDIAG on the server and run options 4, 5, 6, and then 0.  

4)  Assuming the certificate creates just fine on the certificate authority, but the running of PKIDIAG did not recreate all certificates, then simply delete and recreate the SSL objects associated with this particular server, which are found in the same container as the server object.   This must be done in Console One, and the same prerequisite NICI patch applies.     After deleting the SSL objects, allow the eDir replicas to synch out the changes, or encourage them by running the dstrace commands:

Set dstrace=*f
Set dstrace=*h

Verify that these obituaries have processed by running dsrepair > advanced options > check external references.  If the obituaries have processed, then you can proceed with the creation of these certificates.   

Creating the certificates with their same names is only a convention.  It makes things a little bit easier by not having to change any configuration files on the web server or portal.   The certificates are identical in all but name.  

The certificates are named (including a space):    

SSL certificateIP
SSL certificateDNS

Case sensitivity is NOT required.  

After recreating these certs, you could test these again, with portal for SSL CertificateIP and probably SSL CertificateDNS for webserver.    These are the default conventions, but should be verified.      If you still have problems, bring down the server to DOS and reload Netware.  


Feedback service temporarily unavailable. For content questions or problems, please contact Support.