Using OpenSSL certificates within eDirectory

  • 7014197
  • 27-Nov-2013
  • 27-Nov-2013

Environment

Novell eDirectory 8.7.3 for All Platforms
Novell LDAP Server
SUSE LINUX Enterprise Server 9
Novell NetWare 6.5 SP3
Novell Certificate Server
OpenSSL

Situation

Using OpenSSL certificates within eDirectory

Resolution

These procedures show how to create, import and use an OpenSSL certificate within eDirectory using LDAPS services as an example.
Creating a Server Certificate in OpenSSL and importing into eDirectory

1. Create the Certificate public and private key pairs.

On the SUSE Enterprise Linux 9.x Server

Open YaST - Security and Users - CA Management - Enter CA - root password -  Certificates - Add - Add Server Certificate. 

Common name:  THIS IS IMPORTANT AND CANNOT BE CHANGED!  This should be DNS host name users  will use to connect to the server in eDirectory.  If users use "www.mycompany.com"  it should be "www".

Email Address: This should be the email address of the administrator for server certificates.  IE., type admin@mycompany.com then click on Add.

Organization: This normally is the company name.  Example: novell

Organizational Unit: This has nothing to do with the eDirectory tree and is entirely optional.  It can be used to signify location.  Example: headquarters

Locality: This should be the server's city location.  Example: Provo

State:  Self explanitory.  Example: UT

Country:  Self explanitory.  Example: USA

Password:  Enter the password that will be used to protect the private key.

Key Length:  eDirectory will accept a max key size of 2048.  If there are no export considerations, choose this size.  Any size less than this is considered or will soon be considered less secure.

Valid period:  Usually certificates are allowed to expire either on a one or two year period.  One year is more secure.  Next - Create. You will now see a list of certificates created by this server's CA which includes the certificate just created. 

2. Export the keypairs along with the CA certificate.

Highlight the certificate created and select Export - Export to File.
Select the option, "Like PKCS12 and Include the CA Chain."
Enter the password previously used the create the private key then type in the password that will be used to protect the outgoing file.  These can be the same.
Enter the path and filename for this PKCS12 file.  Example: /var/lib/CAM/YaST_Default_CA/serverpkcs12.pfx

3. Import this PKCS12 file into eDirectory using iManager.

Bring up iManager into a browser: https://x.x.x.x/nps/iManager.html.
Go to Novell Certificate Server - Create Server Certificate.
Browse to and select the server for whom we are importing this certificate then type in the eDirectory object name in the Certificate nickname field.  Select Import Creation Method then Next.
Browse to the PKCS12 file previously created or copy the file to a place that can be browsed then input the password used to protect it.  Select Finish.

3a. Import this PKCS12 file into eDirectory using ConsoleOne.

Bring up the latest ConsoleOne using the newest pkiwrap.dll found in the latest released security update.  These are found in the eDirectory patches such as eDir8737XXX.XXX.   On NetWare, they are also updated when applying the latest Support Pack.  Click on this server's container, right-click create - New Object - NDSPKI:Key Material - OK - Select this server - Enter the object's name - Creation Method = Import - Next - Select Read from file and browse to the file - Select Next - enter protecting password - Finsh.
Now the certificate has been imported into eDirectory and is ready for use.

4. Import the OpenSSL CA certificate into a Trusted Root object within a Trusted Roots container.

Copy the OpenSSL server certificate, usually cacert.pem from the default OpenSSL directory to an area that can be browsed with Console One or iManager.  This, on an OES Linux server, is found in /var/lib/CAM/YaST_Default_CA/cacert.pem.  Using either iManager or ConsoleOne create a Trusted Root container.  This must be called "Trusted Roots" under the Security container.  Then create an object of type NDSPKI:Trusted Root Object in this container, give it any descriptive name then browse to and import the cacert.pem file into this object using the dialogs.   The CA certificate is now imported into eDirectory so applications can now verify the signer of the certificate imported in the eariler steps.

5. Associate the certificate to the LDAP Server Object.


Modify the LDAP Server object for this server using either iManager or Console One, go to the SSL/TLS tab and select the new certificate in the Server Certificate field.  Select the Trusted Roots Container in the Trusted Root Containers field.  Select OK.  LDAP will refresh on the server and the new certificate is now ready to use for secure LDAP communications.
NOTE: If you use this certificate to connect securely via ldaps with ConsoleOne's Import\Export Wizard,  you will need to export a PKCS7\Der file from the certificate to use during the dialog.  Simply select the new certificate and export it to a PKCS7 (der) file.

.

Additional Information

Formerly known as TID# 10098907
Formerly known as TID# NOVL103451