OES2 - Enable Certificate Self-Provisioning is always replacing the certificates

  • 3776511
  • 28-Nov-2007
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2 (OES2)
Novell Certificate Server

Situation

When the "Enable Certificate Self-Provisioning" is turned on via iManager and the PKI Server Health check runs, the certificates are always replaced.
(Note: This is NOT enabled by default for OES 2)

The symptoms are the following:

Every time the PKI Server Health check is called (shutdown, startup, manually started) a new "default" certificate is generated and then exported to the file system.

The existing cert on the file system is backed up and replaced with the new one. If the clients have trusted the CA, they will not care that there is a new server certificate. If the clients have not trusted the CA, they will need to retrust the new cert each time this happens. If the PKI Server Health check is run alot, there could be many certs backed up on the filesystem with a new one replacing it everytime. It would be like saving Cert1 and replacing it with Cert2. Then the next time the PKI Server Health check runs it would save Cert2 and replace it with Cert3 and so on.

This only happens on OES2 after enabling the "Certificate Self-Provisioning" and when PKI Server Health check is called, which happens when pki is shutdown, started up, or manually started.

Resolution

For those that have enabled the "Certificate Self-Provisioning" via iManager on an OES2 box, the following can be done:

Turn this feature off via iManager, until a fix can be provided.

or to keep this new feature enabled, do one of the following options:

to work around can be done once per tree.
1. Create a CRL
2. Delete the object points to the need for a CRL that is not there

Note: If you are using a Vendor specific certificate, such as Verisign, etc, you should not see this problem as you would have NOT enabled the "Certificate Self-Provisioning"


Status

Reported to Engineering

Feedback service temporarily unavailable. For content questions or problems, please contact Support.