Environment
Novell eDirectory 8.7.3 for Linux
Novell Open Enterprise Server
Novell Open Enterprise Server
Situation
By default, during the install of OES1, the SSL certificates created and used for services have an expiry of 2 years from the install of OES1.
After the SSL certificates are expired, these services fail to work until the SSL certificate is recreated and the service/application has been reconfigured to use the new SSL certificate.
After the SSL certificates are expired, these services fail to work until the SSL certificate is recreated and the service/application has been reconfigured to use the new SSL certificate.
Resolution
Once the SSL Certificate has expired, a new SSL Certificate needs to be created.
To create a new eDirectory SSL Certificate, do the following:
(the following steps assume the use of iManager 2.7 with the latest Certificate Server Plug-ins)
1. Login to iManager 2.7
2. From the Roles and Tasks, expand "Novell Certificate Server". Select "Repair Default Certificates" and follow the Wizard to create new SSL certificates.
3. Once the new SSL certificates are recreated, restart nldap and verify a Secure LDAP connection can be made. (See TID# 7002343 )
4. After LDAP is running the new Certificate, you need to import the certificate into Linux User Management. You do this by running a "namconfig -k" , login and then restart namcd with "rcnamcd restart".
To create a new eDirectory SSL Certificate, do the following:
(the following steps assume the use of iManager 2.7 with the latest Certificate Server Plug-ins)
1. Login to iManager 2.7
2. From the Roles and Tasks, expand "Novell Certificate Server". Select "Repair Default Certificates" and follow the Wizard to create new SSL certificates.
3. Once the new SSL certificates are recreated, restart nldap and verify a Secure LDAP connection can be made. (See TID# 7002343 )
4. After LDAP is running the new Certificate, you need to import the certificate into Linux User Management. You do this by running a "namconfig -k" , login and then restart namcd with "rcnamcd restart".
Any other service/application which relies on SSL and LDAPS will need to be reconfigured once the SSL Certificates expire.
NOTE: it is a best security practices to only allow for a 2 year expiration on server certificates due to older crypto method becoming weaker and new ones being released. However, certificates can be manually created for longer than 2 years. To do so please refer to the Certificate Server Administration Guide for your version.
