Environment
Novell eDirectory 8.8 for All Platforms
Novell eDirectory Service Pack 1
Novell Certificate Server 3.11
Novell iManager 2.6
The Novell eDirectory Certificate Authority (CA) acts as Intermediate root
The Intermediate root certificate has been issued by a OpenSSL CA
Situation
Novell Certificate Server returns:
Using a manual procedure to create a server certificate works fine using the following steps:
ERROR: Server Certificate (Key Material) Creation Error
There was an error while trying to create the Server Certificate. You need to delete the Server Certificate, if it exists, and start the creation process again
The error code is: -1253: An internal error has occurred
Using the DSTRACE tool with the "+PKI" filter returns:There was an error while trying to create the Server Certificate. You need to delete the Server Certificate, if it exists, and start the creation process again
The error code is: -1253: An internal error has occurred
PKI_EncodeNovellAttributeExtension: EID encode erorr (-1253)
SC: err from PKI_GenerateCertificateFromCSR = -1253
PKIVerbHandOff returned -1253
Exiting PKIVerbHandOff rc = -1253
Exiting PKIWireRequest err = -1253
SC: err from PKI_GenerateCertificateFromCSR = -1253
PKIVerbHandOff returned -1253
Exiting PKIVerbHandOff rc = -1253
Exiting PKIWireRequest err = -1253
- create a new Server Certificate using the iManager
Novell Certificate Server "Create Server Certificate" task - Select the server you like to create the new certificate for and provide a Certificate Nickname (KMO name)
- Select the "custom" creation method
- Choose the "External Certificate Authority" to be the CA which will sign the certificate.
- Store the Certificate Signing Request (CSR) on your local workstation
- Issue the Certificate using the iManager Novell Certificate Server "Issue Certificate" task
- Select the CSR file from your local workstation storing your Certificate Signing Request
- Select the key type, extended key usage Certificate Basic Constraints
and Certificate Parameters based on your needs
For Server certificates this is usually:KeyType: SSL/TLS
Extended Key usage: Server
Certificate Basic Constraints: unspecified - Create a PKCS#7 file using the Issued Certificate, Intermediate Root Certificate and Root Certificate
(See KB 10063558 for further details on ow to create a PKCS#7 file) - Import the Certificate using the PKCS#7 file into the KMO object created during the CSR process using the iManager Directory Administration modify object task
- Choose the PKCS#7 file only as Certificate data filename (leave the Trusted Root data filename empty
Resolution
This issue has been addressed to engineering