Environment
NetIQ eDirectory
NetIQ iManager
NetIQ iManager
Situation
How to rebuild, renew or recreate an expired Certificate Authority (CA)
Steps for rebuilding / renewing / recreating an expired CA
Steps for rebuilding / renewing / recreating an expired CA
Resolution
Please follow these preliminary steps to validate the Certificate Authority (CA):
Please follow the steps below to delete and re-create the Organizational Certificate Authority (CA) for the TREE.
Note: Deleting the Organizational CA object will not invalidate any certificates that have been signed by the Organizational CA, such as the Certificates (Key Material Objects) created for each of your servers. They will continue to function until they expire. However, you will not be able to install new servers into the tree or issue new certificates until you delete and create a new Certificate Authority. User certificates will be invalid due to an Invalid Signature and will need to be re-issued.
- iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority | Certificates | Select ALL certificates | Select Validate.
- If the Certificate status shows Invalid or Expired, then proceed with the following section to renew the CA.
Please follow the steps below to delete and re-create the Organizational Certificate Authority (CA) for the TREE.
Note: Deleting the Organizational CA object will not invalidate any certificates that have been signed by the Organizational CA, such as the Certificates (Key Material Objects) created for each of your servers. They will continue to function until they expire. However, you will not be able to install new servers into the tree or issue new certificates until you delete and create a new Certificate Authority. User certificates will be invalid due to an Invalid Signature and will need to be re-issued.
- Delete the Organizational CA object. Please select one of the following options using iManager:
- Option A: iManager | Roles & Tasks | Directory Administration | Delete Object | Browse to and Select the CA object located in the Security container
- Option B: iManager | Select View Objects (magnifying glass) | Select the Security Container | Check the CA object | Select Delete
- Create a new Organization CA object. Please select one of the following options:
- Option A: Determine a Linux eDirectory server to host the Certificate Authority (CA)
- In a terminal window on the eDirectory server, enter the following:
ndsconfig upgrade -j - Provide the admin name with context[admin.org] and enter the password.
Note: If there is no Organizational Certificate Authority (CA), one will be created.
- In a terminal window on the eDirectory server, enter the following:
- Option B: Create a Certificate Authority (CA) using iManager:
- iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority
- Browse and select the server to host the new CA and provide a name for the object.
Note: This can be any name, but was originally called <treename> CA by default - Select Next, Accept the Defaults, Finish.
- Option A: Determine a Linux eDirectory server to host the Certificate Authority (CA)
- Using iManager, Browse to the Security container. The new Certificate Authority (CA) object should now exist.
Additional Information
If there are problems accessing iManager on the eDirectory servers, please consider the steps provided in TID 7013239 - How to configure Workstation iManager on a Windows desktop for certificate administration.