-1,236 error creating eDirectory certificates on Solaris

Error: Failed to store certificates into the certificate-name object. The error code is -1,236. The object will be removed. The server could not add the specific certificate as a trusted root to the Server Certificate Object (also known as the Key Material Object).

/proc/pid-of -ndsd-process/fd directory contains 256 or more files

ndstrace with +pkii shows a failure to create/open necessary files during certificate creation

PKI versions prior to 3.2 contain fopen calls which are limited to 256 file descriptors.

Workaround:

• Using iManager 2.6, click on the Create Server Certificate Link.
• Step 1
  
• • Choose Host server
  • Give the certificate a name after Nickname (Default SSL CertificateDNS or SSL CertificateIP)
  • Click the Custom radio button
  • Click Next
• Step 2
• • Organizational certificate authority should be checked, just leave this as is.
  • Click Next
• Step 3
• • Leave as is and click Next
• Step 4
• • Check "Use UTF8 encoding for names" and leave everything else as default
• Step 5
• • Click Next leaving default settings.
• Step 6
• • Click Finish

Checking "Use UTF8 encoding for names" should force pki to go down a different code path, which should allow the certificate to be created correctly.

Edit /usr/lib/nds-modules/ndsmodules.conf and comment out any module that isn't critical to the startup/basic function of ndsd. EX: httpstk, snmp, gams, nldap, imon, embox, dxevent and naudit.

Restart ndsd

Create the necessary certificates

Restore the /usr/lib/nds-modules/ndsmodules.conf file to it's previous state

Restart ndsd

Fix:

The problem has been reported to development and the fix is expected to be included in PKI versions 3.2 and later.