Environment
NetIQ iManager
Situation
Server certificates are invalid or expired.
Repair default server cerificates.
Resolution
- Login in iManager as Admin.
- Roles & Tasks | Novell Certificate Server | Configure Certificate Authority
- Select the Certificates Tab
-
Click on both of the Organizational CA certificate and Self Signed Certificate, one at a time.
- Review the Expiration Date for each certificate and verify it is at least 2 years out.
- If you need to recreate the tree CA, you can use TID 7013047 - How to renew an expired Certificate Authority (CA) as a reference.
- Login in iManager as Admin.
- Roles & Tasks | Novell Certificate Server | Repair Default Certificates
- Select the server(s) which will own the certificates and click Next
- Select Yes All Default Certificates will be overwritten and click Next
- Review the tasks to be performed and select Finish
Alternatively, you can do the following using a Linux server:
- iManager | View Objects | Manually delete the server's certificate objects from the TREE.
- From a terminal on the eDirectory Linux server:
ndsconfig add -m SAS
Note: The utility will detect the missing server certificates and re-create them.
Please note that the LDAP server will not pickup these new certificates until restarted with the following commands (Linux):
nldap -u
nldap -l
If certificates are recreated and valid, LDAP still fails to load, and in ndstrace "load nldap" returns Cannot initialize SLAPI initializing backend TSD key please restart NDS as per TID 7015856 - nldap will not reload after expired certificate is renewed.
Cause
Additional Information
If there are problems accessing iManager on the eDirectory servers, please consider the steps provided in TID 7013239 - How to configure Workstation iManager on a Windows desktop for certificate administration.
Please see the preliminary steps to validate the CA from TID 7013047 - How to renew an expire Certificate Authority (CA)
If recreating certificates on an Open Enterprise Server (OES), please consider the coolsolution "Certificate Re-creation Script for OES1, OES2 and OES 11".