Untrusted certificate after recreating eDirectory Certificate Authority

  • 7010407
  • 09-Jul-2012
  • 25-Jul-2012


Novell ZENworks Linux Management 7.3


The object store / embedded eDirectory certificate authority got recreated since it was not possible to issue new server certificates.
A Primary server or Secondary server LDAP server certificate is outdated and needs to be recreated.

Error message in tomcat log file under /var/opt/novell/log/zenworks/tomcat after assigning a new created server certificate to the respective LDAP server object:
"... No trusted certificate found ..."


Recreate the /opt/novell/zenworks/datamodel/share/ldap-certs keystore file with the new certificate authority certificate:
  1. Run the openssl s_client -connect localhost:10636 -showcerts -keyform DER command
  2. From the screen output, copy the second displayed certificate into a file called ca.b64 file located in a temp folder including the "...--BEGIN CERTIFICATE--..." and "...--END CERTIFICATE--..." lines 
  3. Run the command /opt/novell/eDirectory/lib64/nds-modules/embox/jre/bin/keytool -import - file ca.b64 -alias -keystore ldap-certs to create a new keystore in the temp location.
  4. When prompted for the keystore password, use the contents of the /etc/opt/novell/zenworks/serversecret file
  5. Make a backup copy of the /opt/novell/zenworks/datamodel/share/ldap-certs file
  6. Overwrite the existing ldap-certs file with new created file
  7. Restart the ZLM service with the command zlm-config --restart

Additional Information

The ldap-certs keystore file gets created with the embedded eDirectory certificate authority certificate on ZENworks Linux Management install. To make ZLM trust a new created CA, the keystore needs to be updated/recreated with new CA's certificate.