Environment
Novell NetWare 6.5
Novell Certificate Server
Novell Certificate Server
Situation
Certificate Authority along with the KAP and the W0 objects were
deleted
User wants to move their CA to a different server
How to create the KAP and the W0 objects manually
User wants to move their CA to a different server
How to create the KAP and the W0 objects manually
Resolution
NOTE: If you need to delete your CA or move it to a different
server, it is NOT necessary to delete the KAP and W0 objects.
They work independently of the Certificate Server. If the
server that is specified in the NDSPKI:SD Key Server DN attribute
on the W0 object is no longer in the tree, then you can change the
attribute to point to a different server. It is not necessary
to delete the KAP and W0 objects.
1. Make sure Certificate Server (PKI) is installed on the desired server (The KAP and W0 objects are not created by default when you reinstall Certificate Server.)
2. Open ConsoleOne and highlight the Security container in the left-hand pane
3. Create a new object and select NDSPKI:SD Key Access Partition
- Ignore any errors about snapins
- For the name of the new object use KAP
4. Highlight the new KAP object and create a new object
5. Select NDSPKI:SD Key List
- Again ignore any errors about snapins
6. Name the new object W0 (make sure it is a zero)
7. Go into the properties of the W0 object and go the other tab
8. Select the add button and add the NDSPKI:SD Key Server DN attribute
You want to be careful when assigning the NDSPKI:SD Key Server DN attribute. You must make sure that the server you are selecting as the master key server has all the tree keys for your tree. If it does not, it can cause tree key inconsistencies. You can use SDIDIAG to check the synchronization of your tree keys to verify that the server you are selecting has a copy of all the tree keys for your tree. (See KB 3455150 - Using SDIDiag to gather specific SDKey information from servers)
9. Use the browse button to browse to the server you would like to make the master tree key server for the tree.
10. Go to the Trustees of the W0 object and add EVERY SERVER in your tree as a trustee with the default rights of Read/Write for All Attribute Rights and Compare for Entry Rights.
1. Make sure Certificate Server (PKI) is installed on the desired server (The KAP and W0 objects are not created by default when you reinstall Certificate Server.)
2. Open ConsoleOne and highlight the Security container in the left-hand pane
3. Create a new object and select NDSPKI:SD Key Access Partition
- Ignore any errors about snapins
- For the name of the new object use KAP
4. Highlight the new KAP object and create a new object
5. Select NDSPKI:SD Key List
- Again ignore any errors about snapins
6. Name the new object W0 (make sure it is a zero)
7. Go into the properties of the W0 object and go the other tab
8. Select the add button and add the NDSPKI:SD Key Server DN attribute
You want to be careful when assigning the NDSPKI:SD Key Server DN attribute. You must make sure that the server you are selecting as the master key server has all the tree keys for your tree. If it does not, it can cause tree key inconsistencies. You can use SDIDIAG to check the synchronization of your tree keys to verify that the server you are selecting has a copy of all the tree keys for your tree. (See KB 3455150 - Using SDIDiag to gather specific SDKey information from servers)
9. Use the browse button to browse to the server you would like to make the master tree key server for the tree.
10. Go to the Trustees of the W0 object and add EVERY SERVER in your tree as a trustee with the default rights of Read/Write for All Attribute Rights and Compare for Entry Rights.
Additional Information
Formerly known as TID# 10093216