Environment
Products
Novell eDirectory 8.7.3.7 for NetWare 6.5
Novell NetWare 6.5 Support Pack 5
Novell International Cryptographic Infrastructure (NICI) 2.67
Novell Certificate Server (PKIS) 2.76
Configuration
All servers have been installed into a new eDirectory tree using the NetWare 6.5 Support Pack 5 overlay installation CD
The first server installed into the eDirectory tree is acting as Certificate Authority (CA)
Novell eDirectory 8.7.3.7 for NetWare 6.5
Novell NetWare 6.5 Support Pack 5
Novell International Cryptographic Infrastructure (NICI) 2.67
Novell Certificate Server (PKIS) 2.76
Configuration
All servers have been installed into a new eDirectory tree using the NetWare 6.5 Support Pack 5 overlay installation CD
The first server installed into the eDirectory tree is acting as Certificate Authority (CA)
Situation
Symptoms
1) The default server certificates "SSL CertificateIP - servername"
issued by the Novell eDirectory Certificate Authority do not store a unique serial numbers.
2) Mozilla Forefox 1.5.0.4 returns
ERROR: You have received an invalid certificate. Please contact the server administrator or email
correspondent and give them the following information:
Your certificate contains the same number as another certificate issued by the
certificate authority. Please get a new certificate containing a unique serial number.
1) The default server certificates "SSL CertificateIP - servername"
issued by the Novell eDirectory Certificate Authority do not store a unique serial numbers.
2) Mozilla Forefox 1.5.0.4 returns
ERROR: You have received an invalid certificate. Please contact the server administrator or email
correspondent and give them the following information:
Your certificate contains the same number as another certificate issued by the
certificate authority. Please get a new certificate containing a unique serial number.
Resolution
The fix for this issue will be in NICI Version 2.72 shipped with
the next security services patch (version 204)
Workaround
1) delete the default Certificates
2) use PKIDIAG.NLM to generate new default Certificates
Workaround
1) delete the default Certificates
2) use PKIDIAG.NLM to generate new default Certificates
Status
Reported to EngineeringAdditional Information
Steps to duplicate the
Problem
1) Install at least two new NetWare 6.5 Support Pack 5 servers into a new tree
2) For each server verify the details of the default server certificates (SSL CertificatesIP, SSL CertificateDNS)
2.1) Start iManager
2.2) Select Modify Object from the Directory Administration Roles and Tasks menu
2.3) Navigate to the container storing the NCP server objects
2.4) Choose a default server certificate and open the Public Key Certificate menu under the Certificates tab
2.5) Open the details and check the Serial Number attribute under the X.509 Certificate section
Notes
1) rfc3280 states:
4.1.2.2 Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative
integer.
2) For Novell Certificate Server NICI is responsible for generating the serial numbers
1) Install at least two new NetWare 6.5 Support Pack 5 servers into a new tree
2) For each server verify the details of the default server certificates (SSL CertificatesIP, SSL CertificateDNS)
2.1) Start iManager
2.2) Select Modify Object from the Directory Administration Roles and Tasks menu
2.3) Navigate to the container storing the NCP server objects
2.4) Choose a default server certificate and open the Public Key Certificate menu under the Certificates tab
2.5) Open the details and check the Serial Number attribute under the X.509 Certificate section
Notes
1) rfc3280 states:
4.1.2.2 Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative
integer.
2) For Novell Certificate Server NICI is responsible for generating the serial numbers