New Certificates issued by the Organizational CA do not work with NILE / SAS

  • 7003048
  • 20-Apr-2009
  • 26-Apr-2012

Environment

Novell Open Enterprise Server for Linux
Novell Open Enterprise Server for NetWare
Novell eDirectory 8.7.3 for Linux
Novell eDirectory 8.7.3 for NetWare 6.5
Novell iManager Version 2.5

Situation

  • The Organizational CA (Trusted Root) has been manually created using iManager 2.5
  • PKIDIAG does not report any problems
  • Re-generating default Certificates by using PKIDIAG does not solve the problem
  • SDIDIAG does not report any SDI key problems / inconsistencies
  • Certificates storing a UTF8 encoded subject name do not work with services relying on SAS / NILE
  • Any new Certificates issued by the manually created Organizational CA do not work with Apache or the Novell Remote Manager
    but do work with LDAP (NLDAP)

Resolution

  • Re-generate a new Certificate Authority (CA) for your eDirectory tree using iManager 2.7 and the latest available version of the "Novell Certificate Server Plug-ins for iManager". Make sure that the new CA will not be created with a UTF8 encoded subject name.

Additional Information

The subject name of the SelfSigned Certificate (Trusted Root, Organizational CA) has been UTF8 encoded. Apache and the Novell Server Portal use the SAS/NILE service in order to run an SSL handshake. Both services require the Terisa subsystem (key file) in order to run an SSL handshake. Based on the fact that the Terisa code can not handle UTF8 encoded subject names no Terisa Key File Attribute will be created on a given new Key Material Object (KMO). The Certificates with the missing Terisa Key File attribute will work with LDAP as LDAP does not rely on SAS/NILE but on NTLS

Troubleshooting

  1. Use DSBROWSE, an LDAP browser, or ConsoleOne without any Certificate Server snapin (PKI.JAR) or iManager to verify if the KMO stores any value on the "nDSPKI: Key File" attribute
  2. Export any public key Certificate in the trust chain and use OpenSSL to decode the ASN1 structure in order to verify if the Certificate "Subject Name" or "Issuer" has been UTF8 encoded.

Example on checking the ASN1 structure of an Organizational CA including a UTF8 encoded Subjectname:

openssl asn1parse -inform DER -dump -in rootcert.der

0:d=0  hl=4 l=1247 cons: SEQUENCE
4:d=1  hl=4 l=1096 cons: SEQUENCE
8:d=2  hl=2 l=   3 cons: cont [ 0 ]
10:d=3  hl=2 l=   1 prim: INTEGER       :02
13:d=2  hl=2 l=  34 prim: INTEGER       :021C14E16E794662D1A4C97796A10018ACE983E009D2AE9496DD3F1E3E0902020B6F
49:d=2  hl=2 l=  13 cons: SEQUENCE
51:d=3  hl=2 l=   9 prim: OBJECT        :sha1WithRSAEncryption
62:d=3  hl=2 l=   0 prim: NULL
64:d=2  hl=2 l= 102 cons: SEQUENCE
66:d=3  hl=2 l=  25 cons: SET
68:d=4  hl=2 l=  23 cons: SEQUENCE
70:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
75:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :NICI Licensed CA
93:d=3  hl=2 l=  73 cons: SET
95:d=4  hl=2 l=  71 cons: SEQUENCE
97:d=5  hl=2 l=   3 prim: OBJECT            :commonName
102:d=5  hl=2 l=  64 prim: PRINTABLESTRING  :NICI Machine-Unique CA 14E16E79-4662D1A4C97796A10018ACE983E009D2
168:d=2  hl=2 l=  30 cons: SEQUENCE
170:d=3  hl=2 l=  13 prim: UTCTIME          :050526102837Z
185:d=3  hl=2 l=  13 prim: UTCTIME          :150526102837Z
200:d=2  hl=2 l=  45 cons: SEQUENCE
202:d=3  hl=2 l=  15 cons: SET
204:d=4  hl=2 l=  13 cons: SEQUENCE
206:d=5  hl=2 l=   3 prim: OBJECT           :organizationName
211:d=5  hl=2 l=   6 prim: UTF8STRING
219:d=3  hl=2 l=  26 cons: SET
221:d=4  hl=2 l=  24 cons: SEQUENCE
223:d=5  hl=2 l=   3 prim: OBJECT           :organizationalUnitName
228:d=5  hl=2 l=  17 prim: UTF8STRING
247:d=2  hl=4 l= 290 cons: SEQUENCE
251:d=3  hl=2 l=  13 cons: SEQUENCE
253:d=4  hl=2 l=   9 prim: OBJECT           :rsaEncryption
264:d=4  hl=2 l=   0 prim: NULL
266:d=3  hl=4 l= 271 prim: BIT STRING
541:d=2  hl=4 l= 559 cons: cont [ 3 ]
545:d=3  hl=4 l= 555 cons: SEQUENCE
549:d=4  hl=2 l=  29 cons: SEQUENCE
551:d=5  hl=2 l=   3 prim: OBJECT           :X509v3 Subject Key Identifier
556:d=5  hl=2 l=  22 prim: OCTET STRING
580:d=4  hl=2 l=  31 cons: SEQUENCE
582:d=5  hl=2 l=   3 prim: OBJECT           :X509v3 Authority Key Identifier
587:d=5  hl=2 l=  24 prim: OCTET STRING
613:d=4  hl=2 l=  12 cons: SEQUENCE
615:d=5  hl=2 l=   3 prim: OBJECT           :X509v3 Basic Constraints
620:d=5  hl=2 l=   5 prim: OCTET STRING
627:d=4  hl=2 l=  11 cons: SEQUENCE
629:d=5  hl=2 l=   3 prim: OBJECT           :X509v3 Key Usage
634:d=5  hl=2 l=   4 prim: OCTET STRING
640:d=4  hl=4 l= 460 cons: SEQUENCE
644:d=5  hl=2 l=  11 prim: OBJECT           :2.16.840.1.113719.1.9.4.1
657:d=5  hl=4 l= 443 prim: OCTET STRING
1104:d=1  hl=2 l=  13 cons: SEQUENCE
1106:d=2  hl=2 l=   9 prim: OBJECT          :sha1WithRSAEncryption
1117:d=2  hl=2 l=   0 prim: NULL
1119:d=1  hl=3 l= 129 prim: BIT STRING

.
Formerly known as TID# 10098140