Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR "

  • 3818804
  • 23-Jul-2007
  • 30-Apr-2012

Environment

Novell NetWare 6.5 Support Pack 1
Novell Certificate Server 2.0
Novell eDirectory 8.7.3 for NetWare 6.5

Situation

Recently purchased a Verisign SSL certificate and attempting to import it and the root ca into a server's kmo object.
Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR "
Trying to import the same certificate via iManager gives "Error: The following error occurred importing the certificate. The Novell Certificate Server plug-in to iManager could not parse the certificate or extract the mandatory elements from the certificate."

Resolution

This issue has been resolved in PKI.NLM 2.73 or higher. Version 2.73 is contained in NetWare 6.5 SP2. It can also be found in the latest security update, presently SECUPD6A.TGZ.
NOTE: You will have to match your server certificate's subject name to match the subject name in the signed certificate.

1. Open the properties of the object via Console One. Recommended version to date is 1.36c available on the support site.
2. Click on the Page Options box and disable the Certificates tab in ConsoleOne. Disable - OK - OK - Cancel.
3. Open the object up again - Go to the Other Tab - Open the Subject Name attribute and change the subject name to match the one in the signed certificate received by Verisign. (This can be verified by pasting the the signed certificate into Notepad as a filename.cer file. Then double click on the file - Go to the details page and examine the subject name.)
4.Now we can attempt to re-import the certificate. First the Certificates tab must be re-enabled. Open the Page Options - enable the Certificates page - Enable - OK - OK - Cancel. Now re-open the properties of the object - Go to the Certificates tab and select import.
Please also see the following TID: 3976735.

Additional Information

Usually when a Certificate Signing Request is being created to send to Verisign the OU= is not used in the subject name. Example: CN=myserver.mydomain.com.O=headquarters.L=provo.S=utah.C=us

All new certificates being sent from Verisign now contain an OU= in the subject name of the signed certificate returned regardless of whether one was specified in the CSR. Example:CN=myserver.mydomain.com.OU=Terms of use at www.verisign.com/RPA (c)01.O=headquarters.L=provo.S=utah.C=us

Since the subject name of the signed certificate is different from the subject used in the CSR the import fails with the above errors.

Formerly known as TID# 10094212
NOVL98429

Feedback service temporarily unavailable. For content questions or problems, please contact Support.