Trying to import a Verisign certificate via ConsoleOne gives a " -1 ERROR "

  • 3976735
  • 23-Jul-2007
  • 06-Jun-2012

Environment

Novell NetWare 6.5 Support Pack 2
Novell Certificate Server 2.0
Novell eDirectory 8.7.3 for NetWare 6.5

Situation

Recently purchased a Verisign SSL certificate and attempting to import it and the root ca into a server's kmo object.
Trying to import a test Verisign certificate via ConsoleOne gives a" -1 ERROR "
Trying to import the same certificate via iManager gives "Error: The following error occurred importing the certificate. The Novell Certificate Server plug-in to iManager could not parse the certificate or extract the mandatory elements from the certificate."
PKI_SetKeyInfo: Unable to validate chain (-1232) error seen in dstrace.nlm with the +pki and +pkiapi flags

Resolution

For the below fix to work you must be running PKI.NLM 2.73 or higher. Version 2.73 is contained in NetWare 6.5 SP2.
NOTE: You will have to match your server certificate's subject name to match the subject name in the signed certificate.

1. Open the properties of the object via Console One. Recommended version to date is 1.36c available on the support site.
2. Click on the Page Options box and disable the Certificates tab in ConsoleOne. Disable - OK - OK - Cancel.
3. Open the object up again - Go to the Other Tab - Open the Subject Name attribute and change the subject name to match the one in the signed certificate received by Verisign. (This can be verified by pasting the the signed certificate into Notepad as a filename.cer file. Then double click on the file - Go to the details page and examine the subject name.)
4.Now we can attempt to re-import the certificate. First the Certificates tab must be re-enabled. Open the Page Options - enable the Certificates page - Enable - OK - OK - Cancel. Now re-open the properties of the object - Go to the Certificates tab and select import.

Additional Information

Usually when a Certificate Signing Request is being created to send to Verisign the OU= is not used in the subject name. Example: CN=myserver.mydomain.com.O=headquarters.L=provo.S=utah.C=us

Several instances of new certificates being sent from Verisign now have the subject name reversed.
Example:
Original subject name in the CSR: CN=myserver.mydomain.com.O=headquarters.L=provo.S=utah.C=us
Subject name on returned certificate: C=us.S=utah.L=provo.O=headquarters.CN=myserver.mydomain.com

Since the subject name of the signed certificate is different from the subject used in the CSR the import fails with the above errors.
Note: In order for you to see a complete dstrace of this issue you must use the dstrace.nlm not the set dstrace command. Both the set command and iMonitor do not yet have updated return messages. You will only see a -1 error.

Example: load dstrace, dstrace screen=on file=on, dstrace -all, dstrace +pki +pkiapi. Once the error presents itself you can unload dstrace and read the sys:system\dstrace.log file.
Please also see the following TID: Getting a -1 error on import.

Formerly known as TID# 10094427
NOVL98710