How to import an Evaluation VeriSign External Certificate into eDirectory 8.7.3

  • 3325584
  • 23-Jul-2007
  • 24-May-2013

Environment

VeriSign Certificate
Novell NetWare 6.5
Novell eDirectory 8.7.3 for All Platforms
Novell Certificate Server 2.x

Situation

How to import an Evaluation VeriSign External Certificate into eDirectory 8.7.3

Resolution

These steps document how to import an evaluation VeriSign external certificate (valid for 14 days) into eDirectory using Novell's Certificate Server. These steps are based on the versions of Certificate Server, ConsoleOne and NICI contained in eDirectory 8.7.3 and NetWare 6.5. It also references the links found on VeriSign's site on the date of this Solution Document.

Overview:
1. First a CSR (Certificate Signing Request) must be created. To do so create a KMO (ndspki:Key Material Object) with the appropriate key information. We will then send VeriSign our CSR which they will sign and send back to us. This will be our Signed Certificate.

2. To complete the KMO, two items need to be stored during the import into eDirectory. One is the returned signed certificate referred to in the above step. The second is a Trusted Root. This can either be exported from Internet Explorer or from the vendors web site depending on the vendor. In our test case we will get it from the VeriSign site. Both the CA and Signed Certificate will be imported into the KMO created during the CSR generation procedure.

3. Services need to be configured to use the new KMO.

Together these items complete the certificate chain and allow for the certificate to be validated.

Steps:

A. Creating the CSR in Console One.

NOTE: You can also perform these steps with iManager 2.5 or greater. The wizard that takes you through the certificate creation/import process in iManager is almost identical to the one in ConsoleOne.

1. Make sure the ConsoleOne workstation is using the following:
ConsoleOne 1.3.6 or higher
Certificate Server snapin Version 2 (2.23 Build 34 or higher) Verify by selected Help - About Snapins.
Server NICI 2.6 or higher. Verify with Control Panel - Add/Remove Programs

2. Open ConsoleOne. From the server's container create a new object - NDSPKI:KeyMaterial object.

3. On the first Create Certificate dialog screen select the server this certificate will be tied to. Give it a descriptive name (ie., VeriSign).

4. For Creation Type choose Custom and select Next. On the specify Certificate Authority page select "External Certificate Authority" and select "Next".

5. On the RSA key size screen accept the defaults of 2048 bits and allow private key to be exported then select "Next".

6. The next screen is the Certificate Parameters screen. The only thing to be changed here is the subject name. This part is VERY IMPORTANT! The subject name is permanent. It should reflect the name or URL that will be used to access this server. If your community will access secure services on this server using the URL www .domain.com then that will be the "cn" part of the subject name. In our test we will www. testnovell.com. Select the "Edit" button next to Subject name then click on the 2 arrows to the right of it. This puts our server name at the beginning. For our example use the following example".CN=server1.OU=finance.O=headquarters.L=provo.S=utah.C=us" replacing the these fields with your site specific information. The OU and O values are not that important. If you need to go thru the exercise again you will need to modify the context slightly as each CSR must be unique in Subject Name. Example "CN=www. testnovell.com.OU=finance1.O=headquarters.L=provo.S=utah.C=us".

NOTE: For Verisign you will need to make sure and include the L, S and C (Location, State, Country) otherwise you will get an error when requesting the certificate in step B. This name is not an eDirectory object name even though it looks similar to one. The critical part is the cn=_____. As stated earlier, it must match the name that will be used to access the service that will be using the certificate. If the names do not match, you will always get a Security Alert warning each time the certificate is accessed.  For more information please review TID 3028260 - What causes the security alert when using https and Internet Explorer? .

7. While on the Certificate Parameters screen select to use the SHA1 algorithm (strongest authentication).

8. Select "Next" and "Finish". The keys will be generated.

9. Select to save the CSR to the System clipboard in Base64 format and select "Save".



B. Provide VeriSign with the generated CSR.

1. Go to VeriSign's site (www.verisign.com). Select the "Free SSL Trial" link. You can choose whether to save your profile information or not. Select Continue to begin the 6 Step process.

2. You are now presented with a contact information screen. You will receive the signed certificate via the email address you enter here. Fill out the form making sure you enter a valid email address and continue to the next step.

3. The screen labeled "Enter Certificate Signing Request (CSR)" prompts for the CSR to be copied into the text box provided. For the "Select Server Platform" select "Server not listed". Using the mouse left click in this blank text field then press the "Control" and "V" keys simultaneously so the CSR is copied from the clipboard to the CSR field. Click "Continue".

5. The next screen gives you the option to verify what you are about to send. Also add the requested information for the Challenge phrase and question.
6. The next screen gives you a summary and asks you to Accept the Privacy Statement. Click Accept.

6. The next page will say that the order is complete and that the instructions will arrive via email within the hour. You may record the order number for future reference if you want.



C. Acquire the Trial CA Root

This step is only needed for the evaluation certificate. We need to hold two items to complete this certificate: CA Root Authority and Signed Certificate.

1. Because the URL frequently changes the best way to find the location of the Trial CA is to go to Verisign's knowledge base and enter a query on "Download Trial Root CA" and look for the article with the solution ID of vs20710 -"Where can I download the VeriSign Test CA Root?"


D. Import the Trial CA Root and Signed Certificate into the KMO


Once you have received your email from VeriSign containing the Signed Certificate you are ready to import the Trial CA root (now containing both the Intermediate and CA root chain) and Signed Certificate into the KMO created during the CSR creation. There are two import screens presented during this process. The first requires the Trial CA root file exported from IE. The second requires the Signed Certificate emailed to you from VeriSign.

1. Using ConsoleOne open the properties of the server KMO. Select the Certificates tab - Trusted Root Certificates page - Select Import. Make sure you DO NOT check the box labeled"No Trusted Root Available". You are now at the first import screen ready to import the Trial CA Root. Select Read from File - Point to the GETACERT.CER file from Step C (You may have to select All Files for the file type in order to see the .CER file). Select Open - Next.

2. You are now at the second import screen. It is here that the Signed Certificate received from VeriSign is pasted in. Open your email client. In the last part of the email body you will see a section that has a header of Begin Certificate followed by many characters that is terminated with a End Certificate line. Highlight and copy all characters between the Begin and End statements including the Begin and End statements as well. Back on the ConsoleOne screen left click once in the Certificate Import dialog then simultaneously press the "Control" and "V" keys to paste in the information. Select Finish.

NOTE You may get a -1, -1232 error (0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE) or a message that states the subject names don't match. Often Verisign will modify the subject name in the certificate before signing it and sending it back. The subject name for the certificate in the tree must match that of the signed certificate or else the import will not complete. Please see
TID 3818804 - Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR " for details on how to edit the subject name in eDirectory so that it matches the one in the signed certificate sent by Verisign. 
 
 
NOTE You may get a -1232 0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE or a message that states the subject names don't match. Often Verisign will modify the subject name in the certificate before signing it and sending it back. The subject name for the certificate in the tree must match that of the signed certificate or else the import will not complete. Please see
TID 3815533 - Importing an external public key certificate fails with error: "-1232 0xFFFFFB30 PKI E SUBJECT NAME COMPARISON FAILURE" for details on how to edit the subject name in eDirectory so that it matches the one in the signed certificate sent by Verisign.


3. If all the information looks correct on the Trusted Root Certificates page on the Certificates tab, then click the Validate button to make sure that the certificate chain is correct. You will also want to try to Validate the Public Key Certificate as well. If you get an error about the revocation list. Give your servers some time to synchronize and then go back and try to validate theh Public Key again.



E. Enabling the application to use the new KMO

1. Test the new KMO by unloading PORTAL.NLM and HTTPSTK.NLM from the server's console. You may have to unload some other dependencies depending on your NetWare version.

2.Reload HTTPSTK with the new KMO (Example., load HTTPSTK.NLM /SSL /keyfile:"VerisignCertKMO"
NOTE: The certificate name is case sensitive. The -SERVERNAME may be excluded.

3.Load PORTAL.NLM on the console.

4.Open a browser on a workstation and connect to Remote Manager via SSL ( Example., https: //server_ip:8009 )

5.If you are prompted to accept a certificate then the new KMO is working.
.

Additional Information

For imformation on how to import a Production Certificate and other useful TID links please see - TID 3033173

This TID formerly known as TID# 10088935
NOVL94049

Feedback service temporarily unavailable. For content questions or problems, please contact Support.