VeriSign Intermediate CA Replacement Instructions for NetWare 6 and NetWare 6.5

  • 10090166
  • NOVL94873
  • 09-Jan-2004
  • 12-Jan-2004

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Symptom

VeriSign Intermediate CA Replacement Instructions for NetWare 6 and NetWare 6.5

Fact

Novell NetWare 6

Novell NetWare 6.5

Fix

Steps to update VeriSign's intermediate CA

1.  Using ConsoleOne, locate the KMO (VeriSign Certificate in the tree).  Right click the KMO, properties. 

2.  Click the Certificates Tab, select Export.

3.  Do you want to export the private key with the certificate?   Select Yes, then next. 




4.  The next screen will show the Filename of the Exported KMO with a PFX extension.  Enter a password to protect the private key, Select Next>

5.  A  summary appears.  Click Finish.  Your KMO should now be exported to a PFX file.

6.  Close the ConsoleOne KMO properties screen(s).

7.  Using your file browser, locate the PFX file created in step 4.  Double click this file, which will open the Internet Explorer Certificate Import Wizard. Select Next>




8.  The PFX file should be listed.  Select Next> 




9.   Enter the password used in step 4 and Select "Mark this key as exportable.  This will allow you to back up or transport your keys at a later time."  Select Next>

10.   Select Next>


11.  Completing the Certificate Import Wizard.  Select Finish. 



After selecting Finish.  You should see "The import was successful.  Select OK. Your Private Key and certificates should now be imported into Internet Explorer.  To verify, Open Internet Explorer | Tools | Internet Options | Content | Certificates | Personal - your server certificate should appear here.  


12.  Deleting the expired VeriSign Intermediate CA

Open Internet Explorer | Tools | Internet Options | Content | Certificates | Intermediate Certification Authorities.
 Find and highlight on the expired VeriSign certificate(s).  (The Issued To field will read "www.verisign.com...", the Issued By field will read "Class 3 Public ...", and the Expiration Date field will be 1/7/2004.)  Click the Remove button. Click Yes to confirm the deletion.  (There may be more than one expired VeriSign Intermediate certificate with these attributes, if there is, delete all of the expired certificates.)

Note

13. To get the Intermediate CA replacement from VeriSign

Go to https://www.verisign.com/support/site/caReplacement.html  Click "Get Intermediate CA Here (If Required)".  Click "Select All", then CTRL+C.  Open Notepad ( Click Start, run, Type NOTEPAD, Select Ok. Once Notepad is open, press CTRL+V to paste the text into Notepad.  Select File | Save As | In the Filename type, IntermediateCA.der and click Save.  Close notepad. 

14.  Find the IntermediateCA.der file you created in Step 13.  Double click on it and Select "Install Certificate"




15.  Welcome to the Certificate Import Wizard.  Select Next>

16.  Certificate Store - Select Next>

17.   Select Finish. 



After selecting Finish.  You should see "The import was successful.  Select OK


18.  Open Internet Explorer.  Tools | Internet options | Content | Certificates | Intermediate Certification Authorities |  You should see the certificate which expires in 10/24/2011. 


19.  Select the "Personal" tab, highlight the server certificate that was imported in step 11.  Select Export...  




20.  Welcome to the Certificate Export Wizard.  Select Next> 




21.  Select "Yes, export the private key"  and select Next> 




22.  Select all boxes under "Personal Information Exchange - PKCS#12 (.PFX) and select Next>  
(Note:  this will delete your server key from the Internet Explorer key store upon successful export.)



23.  Type and confirm a password. This is the password used in step 4 

24. File to Export.  Specify the name of the file you want to export.  Put a file name with no extension. (it will append a .PFX automatically) - Select Next>

25. Completing the Certificate Export Wizard.  



Select Finish.  The export was successful.  select Ok. Close Internet Explorer.


26. Using ConsoleOne, locate the KMO (VeriSign Certificate in the tree).  Right click the KMO, properties. 

27.  Click the Certificates Tab, select Replace.   Read the warning and Select "yes" to proceed. 

28.   Select "Read from file" and locate the PFX file created in Step 24 and select open.



 
Select Next>



29.   Enter password, from step 23, and select Finish. 

30. Close the ConsoleOne KMO resides properties screen(s) to refresh the KMO information.  Right click the KMO, select properties.  Click the Certificates tab, select the Public Key Certificate and select Validate. (This may take some time as ConsoleOne will need to read the Certificate Revocation List(s) (CRL) from the VeriSign site.) 

31.  Test Certificate.  

.

This message is to remind you that the VeriSign Global Server ID Intermediate Root CA expires on 1/7/2004, inform you about the potential impact of this expiration on your server using VeriSign 128-bit SSL certificates (Global Server IDs)

Summary

The old VeriSign [128-bit SSL] Global Server Intermediate Root CA will expire on 1/7/2004. Servers that have not been updated with the new Global Server Intermediate Root CA will  experience issues establishing SSL (https) sessions after 1/7/2004. 
This issue does not impact servers using VeriSign [40-bit] Secure Server ID certificates.

Who should read this bulletin?

Customers who have not installed the new VeriSign Global Server Intermediate Root CA on their server(s) or who are not sure which intermediate root CA is installed on their server(s). The new VeriSign Global Server Intermediate Root CA has the following properties:

Issued to: www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign
Issued by: Class 3 Public Primary Certification Authority
Valid from: 4/16/97 to 10/24/11

Specific Issue
In December, 2001, VeriSign started issuing a new Intermediate Root CA with all [128-bit SSL] Global Server IDs (GSIDs), signed by a new root certificate that expires in 2028. The new Global Server Intermediate Root CA expires in 2011.  All GSIDs VeriSign has issued since December, 2001, have included the new [2011] Global Server Intermediate Root CA. Some server software automatically updates the intermediate root CA certificate in the server certificate store, while other server software requires manual updates of the intermediate root CA. Although VeriSign has been providing instructions on how to manually install the new Global Server Intermediate Root CA to all GSID customers since December, 2001, it is possible that some customers may not have noticed the reminder and are unaware of this issue. 

Error Condition

If an application uses PKI best practices, it will check that the validity periods of all certificates in the trusted chain do not overlap, and report an error accordingly. Because 24-month certificates issued after 1/8/2002 and 12-month certificates issued after 1/8/2003 would have validity periods in excess of the original Intermediate CA, when you obtained a new GSID that expired beyond 1/6/2004, your server application should have generated an error.

Solution for Novell Servers.  See above:

Feedback service temporarily unavailable. For content questions or problems, please contact Support.