Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
A Certificate signing request was generated from Access Manager Admin COnsole to obtain a new server certificate for the Linux Access Gateway proxy. The server certificate was returned by the CA, which the administrator imported. Multiple trusted root certificates were returned, where a few had the same subject name but different key sizes (1024 versus 2048). Importing the certs caused the an error -1227 to be returned in the UI (invalid certificate chain).
There does not seem to be any option in Access Manager to handle cross domain certificates, and we cannot assign the certs to any Access Manager services.
There does not seem to be any option in Access Manager to handle cross domain certificates, and we cannot assign the certs to any Access Manager services.
Resolution
Multiple options exist to import the certificate. What is key is that the full chain (including all certs) exist in the path. This is what was imported
- server cert (signed with 2048bit key)
- merged file (intermediate cert - signed with 2048bit key - as well as the cross-signed roots - signed with 1024bit key)- intermediate cert (sinend with 2048bit key)
- new root cert (signed with 2048bit key)Additional Information
Merging certificates can be accomplished by following the solution at https://www.novell.com/coolsolutions/appnote/16531.html (see Scenario 1: Server Certificate returned from CA includes multiple intermediates and trusted root certificate)