Novell Certificate Server returns ERROR: Server Certificate (key Material Creation Error

  • 3301322
  • 08-Nov-2006
  • 30-Apr-2012


Novell eDirectory 8.8 for All Platforms
Novell eDirectory Service Pack 1
Novell Certificate Server 3.11
Novell iManager 2.6
The Novell eDirectory Certificate Authority (CA) acts as Intermediate root
The Intermediate root certificate has been issued by a OpenSSL CA


Novell Certificate Server returns:

ERROR: Server Certificate (Key Material) Creation Error
There was an error while trying to create the Server Certificate. You need to delete the Server Certificate, if it exists, and start the creation process again
The error code is: -1253: An internal error has occurred

Using the DSTRACE tool with the "+PKI" filter returns:

PKI_EncodeNovellAttributeExtension: EID encode erorr (-1253)
SC: err from PKI_GenerateCertificateFromCSR = -1253
PKIVerbHandOff returned -1253
Exiting PKIVerbHandOff rc = -1253
Exiting PKIWireRequest err = -1253

Using a manual procedure to create a server certificate works fine using the following steps:
  1. create a new Server Certificate using the iManager
    Novell Certificate Server "Create Server Certificate" task
  2. Select the server you like to create the new certificate for and provide a Certificate Nickname (KMO name)
  3. Select the "custom" creation method
  4. Choose the "External Certificate Authority" to be the CA which will sign the certificate.
  5. Store the Certificate Signing Request (CSR) on your local workstation
  6. Issue the Certificate using the iManager Novell Certificate Server "Issue Certificate" task
  7. Select the CSR file from your local workstation storing your Certificate Signing Request
  8. Select the key type, extended key usage Certificate Basic Constraints
    and Certificate Parameters based on your needs
    For Server certificates this is usually:
    KeyType: SSL/TLS
    Extended Key usage: Server
    Certificate Basic Constraints: unspecified
  9. Create a PKCS#7 file using the Issued Certificate, Intermediate Root Certificate and Root Certificate
    (See KB 10063558 for further details on ow to create a PKCS#7 file)
  10. Import the Certificate using the PKCS#7 file into the KMO object created during the CSR process using the iManager Directory Administration modify object task
  11. Choose the PKCS#7 file only as Certificate data filename (leave the Trusted Root data filename empty


This issue has been addressed to engineering