Generate a complete third-party certificate for iChain from your eDirectory Tree

  • 7004233
  • 18-Aug-2009
  • 27-Apr-2012

Environment

iChain 2.X

Situation

Generate a complete third-party certificate for iChain from your eDirectory Tree

Resolution

This process will work for any 2.X iChain server that supports "Restore" in the Admin GUI Certificate Maintenance Tab.  

In a NetWare tree with current NW 6 or NW 6.5 servers and current Certificate Server, create a new NDSPKI:Key Material object.
Give it the name you want and select "Custom" options and External Certificate Authority.
Leave the next screen at defaults (2048 bit key and Allow private key to be exported) and click next.
The next screen is the critical one. This is where you will need to modify the subject name to match what you want on your iChain appliance.
You can look at your existing certificate to get the syntax right, but it will look something like:

.CN=*.novell.com.O=Novell.L=Provo.S=Utah.C=US

*****DO NOT PUT THE OU= IN THIS STRING. 

Click Next/Finish and save the CSR as .b64 format to C:/ .
Then open the .64 file with Wordpad. This will by your CSR that you submit to your third-party certificate vendor.

When you have the response file from your vendor/Verisign, use the steps below (taken from KB 10073709) to convert the response file into PKCS #7 format using a current/patched version of Internet Explorer:

1. Save the response file (certificate) sent from Verisign using Wordpad as a .cer file.
2. Go to Tools > Internet Options > Content > certificates
3. Click on Import > Next and browse to the response file sent from Verisign
4. Use "Automatically select the certificate based on the type of certificate"
5. Click Next and Finish
6. Go to Tools > Internet Options > Content > Certificates > Other People tab.  (Check all tabs if it does not appear here.)
7. Highlight the imported certificate and click on Export > Next.
8. Select Cryptographic message syntax standard - PKCS #7 (.P7b) and check Include all certificates in the certification path if possible.
9. Select Next and save/export the file.

Then go back to ConsoleOne and Import this .p7b file:

1. Launch ConsoleOne and right-click on the Key Material Object for the respective certificate.
2. Select Properties > Public Key Certificate on the drop-down of the Certificate tab.
3. Click Import and check the "No Trusted Root Certificate Available; Then click Next.
4. You should now be at the text window entitled "Paste your server certificate here or read it from a file". "Select Read from File, browse to the .pb7 file and finish the import.
***Note: An informational message may appear when finishing the import stating that the issuer or subject do not match. Just continue on.

Once complete, export the certificate with the PRIVATE keys to get a .pfx format file.

1. Highlight the KMO Object.
2. Select Properties > Public Key Certificate on the drop-down of the Certificate tab.
3. Click Export
4. Select Yes to export the private key with the certificate
5. Supply a password, shorten then name of the certificate file to 8.3 format and select next... 

Then take that .pfx file to the iChain 2.X server and "restore" the certificate in the Certificate Maintenance Tab in the Admin GUI.

You may need to purge cache or re-start iChain to make the new certificate available for an accelerator's consumption.


Additional Information

Formerly known as TID# 10096659

Feedback service temporarily unavailable. For content questions or problems, please contact Support.