Setting up eDirectory 8.7.3 or 8.8 to track certificate expirations.
Steps to implement expiration tracking:
Note: You can skip steps one through three if you are running eDirectory 8.8 .
1. Get Current
- Ensure that eDirectory is at 873 IR4 or higher. The latest support pack for eDirectory 8.7.3 is SP10 . This update can be found by going to https://download.novell.com and selecting this version via the pulldowns.
- Also apply the latest security updates so that PKI services are up to date, Secupd8 or higher. You can find the latest for 8.7.3 at: https://download.novell.com/patch/finder and using the keywords of " SSP 8.7.3 " The minimum required PKI module is 2.76. Novell recommends applying 3.11 or higher. The latest PKI update at the time of this writing is SP201.TGZ.
2. Associate the Attributes in Schema and synchronize the changes to other servers in the tree
- Once these updates have been applied and the server reset you are ready to begin.
NOTE: Schema changes, so that they are propagated to all servers in the tree, should be performed on a RW or Master of root. The following steps should accomplish this. Ideally you should only have a connection to that server and, if on NetWare, actually run ConsoleOne from that server.
- Bring up ConsoleOne using the -ForceMaster switch, select the root of the tree, then select Tools - Schema Manager.
- Using the Class Tab select the class of NDSPKI:Key Material (this is the class used by Certificates\KMO's).
- On the Attribute List select Add Attribute then select NDSPKI:Not After and NDSPKI:Not Before. To select simply highlight each then click on the arrow "->". Accept the changes using the OK button. Then close Schema Manager.
- Now that the certificates' class definition has been modified so that these new attributes are available, we need to synch the schema changes out. From the server the schema extension was made type the following at the console:
" set dstrace=on "
" set dstrace=+schema "
" set dstrace=*ssd "
" set dstrace=*ssa "
Change screens to the Directory Services screen and wait for schema sync to complete.
3. Add Attributes to the KMO's and Populate the Fields
Now the attributes need to be created on existing KMO's and populated with their current expiration time. The process that triggers this change is PKI's health check function. This function can be triggered by either resetting the server, stopping and restarting eDirectory services or running an eDirectory repair. The repair must be run either in unattended mode or as a local repair and selecting to lock the database.
When the PKI health check is run that server will update all certificates in its home context (where its NCP server object resides). If there are other servers and their certificate objects in this context the health check will update these server's certificates as well. It does not matter whether or not this server actually holds a replica containing its home organization or organizational unit.
4. Run the Query
Here is a sample query using the LDAP search utility that can be found, among other sources, in the bin directory of ConsoleOne:
ldapsearch -LLL -b o=novell -h 10.0.1.3 -p 389 -s sub "objectclass=NDSPKI:Key Material" NDSPKINotAfter
This would return results similar to the following:
dn: cn=SSL CertificateDNS - MYSERVER,o=NOVELL
This indicates that the KMO, SSL CertificateDNS, for server MYSERVER in the NOVELL organization will expire on November 11th, 2006 at 2am and 3 seconds.
NOTE: The time format is UTC time. There is a defect in how this is being populated as the minutes are not added. Novell hopes to resolve this in a coming update for PKI.
A certificate expiration, if unanticipated, can lead to a loss of web services until a certificate replacement can be made. If the certificate was created and signed using Novell Certificate Server's tree CA, recreating the certificate is a quick process. If the certificate was signed by a third party trusted CA such as Verisign, there may well be a longer delay between submitting the certificate signing request and receiving back the signed certificate to import. In either case administrators would prefer to be proactive in tracking the expirations of the various certificates in use throughout their organization.
Using a combination of the latest eDirectory 8.7.3 update, or 8.8, with the latest version of PKI (Certificate Server) provides the ability to query for and return certificate expirations via ldap. These returns can span the entire tree and be placed into a csx file for spreadsheet analysis or passed into a perl script for further sorting and output. Below are the steps to implement the enhancement as well as a sample ldap command to get started.
NOTE: If PKI versions older than 2.76 are in the tree this process will still work though a repair or reset will not update that server's certificate expiration attributes.
Formerly known as TID# 10098567