How to renew invalid or expired eDirectory server certificates

  • 7013080
  • 20-Aug-2013
  • 04-Dec-2020

Environment

NetIQ eDirectory
NetIQ iManager

Situation

How to renew expired eDirectory server certiifcates.
Server certificates are invalid or expired.
Repair default server cerificates.

Resolution

First make sure the Tree Certificate Authority is valid.   If it is valid for less than two years, you may want to consider recreating the Tree CA, as this process will rekey the server certificates for up to two years or the expiration of the Tree CA, whichever comes first.

  1. Login in iManager as Admin.
  2. Roles & Tasks | Novell Certificate Server | Configure Certificate Authority
  3. Select the Certificates Tab
  4. Click on both of the Organizational CA certificate and Self Signed Certificate, one at a time.
  5. Review the Expiration Date for each certificate and verify it is at least 2 years out.
  6. If you need to recreate the tree CA, you can use TID 7013047 - How to renew an expired Certificate Authority (CA) as a reference.


Then follow the steps below to Repair Default Server certificates for eDirectory servers:
  1. Login in iManager as Admin.
  2. Roles & Tasks | Novell Certificate Server | Repair Default Certificates
  3. Select the server(s) which will own the certificates and click Next
  4. Select Yes All Default Certificates will be overwritten and click Next
  5. Review the tasks to be performed and select Finish


Alternatively, you can do the following using a Linux server:

  1. iManager | View Objects | Manually delete the server's certificate objects from the TREE.
  2. From a terminal on the eDirectory Linux server:
    ndsconfig add -m SAS
    Note: The utility will detect the missing server certificates and re-create them.


Please note that the LDAP server will not pickup these new certificates until restarted with the following commands (Linux):
nldap -u
nldap -l


If certificates are recreated and valid, LDAP still fails to load, and in ndstrace "load nldap" returns Cannot initialize SLAPI initializing backend TSD key please restart NDS as per TID 7015856 - nldap will not reload after expired certificate is renewed.

Cause

Server certificates are invalid and/or expired and need to be re-created.

Additional Information

If there are problems accessing iManager on the eDirectory servers, please consider the steps provided in TID 7013239 - How to configure Workstation iManager on a Windows desktop for certificate administration.

If there is a problem renewing the default server certificates, perhaps there is a problem with the Certificate Authority (CA).
Please see the preliminary steps to validate the CA from TID 7013047 - How to renew an expire Certificate Authority (CA)

If recreating certificates on an Open Enterprise Server (OES), please consider the coolsolution  "Certificate Re-creation Script for OES1, OES2 and OES 11".

Feedback service temporarily unavailable. For content questions or problems, please contact Support.