Environment
NetIQ eDirectory
NetIQ iManager
NetIQ iManager
Situation
How to renew expired eDirectory server certiifcates.
Server certificates are invalid or expired.
Repair default server cerificates.
Server certificates are invalid or expired.
Repair default server cerificates.
Resolution
First make sure the Tree Certificate Authority is valid. If it is valid for less than two years, you may want to consider recreating the Tree CA, as this process will rekey the server certificates for up to two years or the expiration of the Tree CA, whichever comes first.
- Login in iManager as Admin.
- Roles & Tasks | Novell Certificate Server | Configure Certificate Authority
- Select the Certificates Tab
-
Click on both of the Organizational CA certificate and Self Signed Certificate, one at a time.
- Review the Expiration Date for each certificate and verify it is at least 2 years out.
- If you need to recreate the tree CA, you can use TID 7013047 - How to renew an expired Certificate Authority (CA) as a reference.
- Login in iManager as Admin.
- Roles & Tasks | Novell Certificate Server | Repair Default Certificates
- Select the server(s) which will own the certificates and click Next
- Select Yes All Default Certificates will be overwritten and click Next
- Review the tasks to be performed and select Finish
Alternatively, you can do the following using a Linux server:
- iManager | View Objects | Manually delete the server's certificate objects from the TREE.
- From a terminal on the eDirectory Linux server:
ndsconfig add -m SAS
Note: The utility will detect the missing server certificates and re-create them.
Please note that the LDAP server will not pickup these new certificates until restarted with the following commands (Linux):
nldap -u
nldap -l
If certificates are recreated and valid, LDAP still fails to load, and in ndstrace "load nldap" returns Cannot initialize SLAPI initializing backend TSD key please restart NDS as per TID 7015856 - nldap will not reload after expired certificate is renewed.
Cause
Server certificates are invalid and/or expired and need to be re-created.
Additional Information
If there are problems accessing iManager on the eDirectory servers, please consider the steps provided in TID 7013239 - How to configure Workstation iManager on a Windows desktop for certificate administration.
If there is a problem renewing the default server certificates, perhaps there is a problem with the Certificate Authority (CA).
Please see the preliminary steps to validate the CA from TID 7013047 - How to renew an expire Certificate Authority (CA)
If recreating certificates on an Open Enterprise Server (OES), please consider the coolsolution "Certificate Re-creation Script for OES1, OES2 and OES 11".
Please see the preliminary steps to validate the CA from TID 7013047 - How to renew an expire Certificate Authority (CA)
If recreating certificates on an Open Enterprise Server (OES), please consider the coolsolution "Certificate Re-creation Script for OES1, OES2 and OES 11".