Importing Third Party Certificate in eDirectory generated with gwcsrgen utility

  • 7007003
  • 05-Oct-2010
  • 18-Jun-2014

Environment

Novell GroupWise
Novell Certificate Server (PKIS)
Novell eDirectory 8.7.X for All Platforms
Novell eDirectory 8.8.X for All Platforms

Situation

Importing Third Party Certificate in eDirectory CSR generated with "gwcsrgen" utility
Replacing expired certificate for Apache
Replacing Third Party WebAccess certificate for NetWare

Resolution

  1. Generate a CSR and key file with the help of "gwcsrgen" utility ( Please keep the password that is used for creating the CSR file)
  2. Send the CSR file to Certicate Provider for signing
  3. Once Signed by the Certificate Provider, Certificateprovider will send three certificates ( Signed Certificate or SSL Certificate, Secure Server Intermediate CA, CA Root Certificate )
  4. Copy and paste the three certificates in notepad and save all the three files as certificate.crt, intermediate.crt and root.crt in the same folder where you have key and CSR files.
  5. Convert the certkey.key file and certificate.crt file in one single p12 ( output.p12 ) file using the following command from the Linux Server
  6. #openssl pkcs12 -export -out output.p12 -inkey certkey.key -in certificate.crt
  7. This Command will ask for the pass phrase for the key file, give the password that was used while the CSR generation
  8. If the password is accepted by the key file then it will ask for the new Export Password for the p12 file.
  9. Now import the output.p12, intermediate.crt, root.crt file in internet explorer
  10. To import the certificates in the Internet Explorer:
    1. Go to Internet Explorer >> Tools >> Internet Options >> Content >> Certificates
    2. Click Import >> Locate the root.crt file >> Import it under container "Trusted Root Certification Authorities">> Say Yes to the Security Warning to install the Certificate
    3. Again Click Import >> Locate the output.p12 file >> Provide the password that was given during the output.p12 file creation and Check the option "Mark this key as exportable">> Next >> Select "Automatically select the certificate store based on the type of certificate">> Next >> Finish.
    4. The Certificate will under personal tab.
    5. Click Import >> Locate the intermediate.crt file >> Select "Automatically select the certificate store based on the type of certificate">> Next >> Finish.
    6. Make sure to find all the three files in the Internet explorer under Tools >> Internet Options >> Content >> Certificates >> Personal, Intermediate Certification Authorities and Trusted Root Certification Authorities.
  11. Export the certificate file now from Internet explorer with the following steps:
    1. Internet Explorer >> Tools >> Internet Options >> Certificate >> Personal >> Select the certificate that we imported
    2. When prmopted to export the Private key select YES
    3. When Prompted for the PKCS#12 information select the "Include all certificates in the certification path if possible" and "Export all extended properties".
    4. Give the password for the pkcs#12 file to be generated ( This password will be used in importing the certificate in eDirectory)
    5. Save the file to the filesystem as finalimport.pfx.
  12. Now import this file in eDirectory using ConsoleOne or iManager
  13. For importing using ConsoleOne
    1. Go to the container in the TREE where the server is located for which the CSR was generated.
    2. Create a new object of typw NDSPKI: Key Material
    3. Select Server name from the available list
    4. Provide the certificate name
    5. Select import >> Next >> Read from file >> Browse the finalimport.pfx file
    6. Select Next >> Provide the password that was given during the generation of the pkcs#12 file >>Finish
    7. Refresh ConsoleOne and validate the object in the tree.
  14. For Importing Using iManager
    1. Under Roles and Tasks >> Novell Certificate server >> Create Server Certificate
    2. Browse the server name
    3. Provide the Nickname for the certificate
    4. Select creation method as Import >> Next
    5. Choose the file finalimport.pfx and provide the password
    6. Select Next >> Finish
    7. Browse the tree and validate the certificate imported.
 
Note:
  1. In case if received only SSL Certificate and CA Root Certificate, then skip the part of Intermediate CA Import in Internet explorer ( All the major Third Party Certificate provider include the Intermediate CA)
  2. The above procedure has been successfully tested with Thwate, Verisign, GoDaddy.

Additional Information

For example : A normal Certificate looks like this
 
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIQP1MpAnGSsgnuvzehial42DANBgkqhkiG9w0BAQUFADCB
rTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl
c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSswKQYDVQQDEyJ0aGF3
dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4XDTA5MTAwOTAwMDAwMFoX
DTI5MTAwODIzNTk1OVowga0xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUs
IEluYy4xKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
MDAuBgNVBAsTJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBObyBhc3N1cmFuY2Vz
LjErMCkGA1UEAxMidGhhd3RlIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAML5kYGJjOCgOr6QShUH2ruI
qOdSYQJP+P/Rvm94Xkdn9X/ob8AfnLUaXAEByfLEaAlzVKgt2dqlg6KzMWv1Gui2
i9rdWXFdIJcfVruRC76RRup0SBW+KJAnwGTuv69fLtifb+3fhPcioe5bT/0i6/A4
NErip1QmYWlt0G2m+jpNg1/bvNtvZuA1was/cpKUKwIWsx0jWbNhQjKKvEGuMzGn
FImphg+Tu8LYVFevno9Z0+sk9OXugngBDykCPZeOFIvWl7VNasSRuNUL6W3DqKlU
QIiOYtHeLNur18z1sf2rq4iB5pAzySYqxyFNM1o8eoGFLXkt/kdZ74uW64MzTCsC
AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O
BBYEFAVCaIYD6cllwSez2ZvUD/d/9QVAMA0GCSqGSIb3DQEBBQUAA4IBAQC4PptV
QCvjjNW1WG+cq8pbv+IwnH7TC11VG3SNKEOp/3DIAR2yjPGUJy5+oDyeVxU9qWan
O4uMNaXMiGPDVsULlZwVOQAF6pqWXeZcL4ErcC8XzcrPufbKy2nP/8VUb7y7dA9Y
M6qc25j29J2YTw9FNgQDVOvkCK+8SpTLVImSGYWE9/+qWXUff6cD9cw5nHPxnCo6
7ozmk+K8FVK1mvA22IrH0MGEdyXhxNwbxeL/oOr7koALOv8lDR2IJqLZMwoMMG7d
P64PAQwPtTPBJr03ysFL61qDrYVRSXcE8bM2ar5KVXfIwxZuK5FOf8bMSp1DqKKL
yOd9BFgQ0GxeXdXA
-----END CERTIFICATE-----
 
Copy and Paste the content in a Notepad file and save it as root.crt
Note : BEGIN CERTIFICATE and END CERTIFICATE lines in the certificate are essential part of the certificate, don't ignore them while saving the certificate.