Error Creating Certs for eDir Driver

  • 7015545
  • 17-Aug-2014
  • 18-Dec-2014


eDirectory 8.8
eDir Driver
Bi-Directional eDirectory driver


Error creating certs: eDir to eDir 
When creating certs for Bi-Directional eDirectory driver the following error is returned:
Subject Name" which stores the subject name. Importing a Certificate will
cause Certificate Server to compare the Subject Name stored on the
Certificate against the attribute "NDS PKI: Subject Name"

Error: -1232


Take a ndstrace with +time + tags +pkii +pkia
set ndstrace=nodebug
ndstrace +time + tags +pkii +pkia

Example of ndstrace output
PKII: [2014/08/15 18:09:47.770] Logically comparing the two subject names 
PKII: [2014/08/15 18:09:47.770] NDS subject name is .O=MERCTREE.CN=sld1oacsnds0002 
PKII: [2014/08/15 18:09:47.770] Certificate subject name is O=.........CN=......1 
PKII: [2014/08/15 18:09:47.770] Entering serverReverseX509Name  O=NOVLL.CN=server1
PKII: [2014/08/15 18:09:47.770] Reversed X509 name CN=server1.O=NOVLL
PKII: [2014/08/15 18:09:47.770] They compare unequal 
PKII: [2014/08/15 18:09:47.770] PKI_VerifyCertificates() complete status = -1232; freeing memory

  1. Check the /etc/opt/novll/conf/nds.conf.  Look for https.server.cached-cert-dn=.  Ensure there is only one instance.
    Example of what it should look like https.server.cached-cert-dn=SSL CertificateIP - Srv01.novell.novell
  2. Validate the certificates - See Documentation - Can also delete certificates and run ndsconfig upgrade or ndsconfig add -m sas TID 3376127
  3. Verify the LDAP Server objects in both trees has a certificate assigned
    In iManager go to LDAP role - LDAP Options - View LDAP Servers - Click on LDAP server - Connections - Browse Server Certificate and select the SSL Certificate DNS (default) or another certificate if desired. 
  4. Verify the certificates subject name is correct on the cerficate the LDAP Server has assigned.
    In iManager - Certificate Acces role - Server Certificate - Click on certificate - Verify Subject Name is correct. (O=NOVELL_TREE.CN=server.context.novell)
  5. Verify the tree keys (NICI) are in sync - TID 3092072


Subject name comparison failed
Certificates are missing, expired or invalid
NICI keys may be inconsistent.