Steps to create a wildcard certificate to avoid "The hostname of the iPrint server does not match its certificate" message

  • 7016087
  • 21-Jan-2015
  • 16-May-2017

Environment

NetIQ iManager
Novell iPrint for Linux Open Enterprise Server Support Pack 2 iManger iPrint Plugin
Novell iManager 2.7.4
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2

Resolution

Note:  The below example uses lab.novell.com as the DNS domain.

1) Create a new server certificate
In iManager:
a) Click NetIQ Certificate Server | Create Server Certificate
b) Browse to and select the server hosting iPrint services
c) Specify Nickname - Any name will work.  These steps use the nickname of WildCard.
d) Creation Method is Custom
e) Click Next
f) Select External certificate authority and click Next
g) Key size 2048 and Allow private key to be exported is selected and click Next
h) Edit the subject name (click on pen icon) to replace CN=<your iPrint server name>.lab.novell.com with CN=*.lab.novell.com (You can click on the reverse symbol icon to see the name in a nicer format).  You are replacing your server name with an asterisk *.  Click OK and  Next
i) Click Finish and click the Save Certificate Signing Request link (This will save the file WildCard.csr to the browser's download directory.)  Once saved, click Close
2) Issue the Certificate and create the .DER file
In iManager:
a) Click on the Issue Certificate link under NetIQ Certificate Server
b) Browse and select the saved WildCard.csr file from step 5 and click Next
c) Select "SSL or TLS" under Key type
Note:
"Key usage" options will be grayed out
"Set the key usage extension to critical" should not be selected
"Enable extended key usage" should be selected and Custom should be marked
"Set the extended key usage extension to critical" should not be selected
d) Click Next
e) Select End Entity in Certificate Type and Unspecified for Path Length, ("Set basic constraints extension to critical" should not be selected.
f) Click Next
g) Specify Validity period (This is your choice)
Note:
The subject name will be grayed out and should show CN=*.lab.novell.com.O=TreeName as an example.
Nothing else should be selected
h) Click Next
i)  Select File in binary DER format, click Next and Finish
j)  Click the Download the issued certificate link (The file WildCard.der will be saved to your browser's download directory).
k) Click Close once the file has been saved
3) Create the cert.der file
In iManager:
a) Click on the Configure Certificate Authority link in iManager under NetIQ Certificate Server
b) Click Certificates
c) Select Organizational CA and Export
d) Drop down and select the .O=YourTreeName.OU=Organizational CA
e) Unselect Export private key and Export format should change to DER, click Next
f)  Click the "Save the exported certificate" link to save the cert.der file to the browser's download folder and click Close once the file has been saved
4) Create the cert.pfx file
In iManager:
a) Click NetIQ Certificate Access and then click the Server Certificates link
b) Ensure the server listed in the blue banner under Server Certificates is the iPrint server.  If not, browse to the iPrint server object and select it
c) Notice in the list there is a certificate called WildCard.  Select it and click on the "Import..." link to the right
d) Browse to the cert.der file and select it and click OK
e) Click New and browse to WildCard.der and select it and click OK
f)  Select Waive subject name in certificate
g) Click Next, Finish and Close
h) Select the WildCard certificate and click on Export
i)  Drop down the list and select WildCard.  "Export private key" should be selected as well as "Include all certificates in the certification path if available".  Enter a password of your choice and DO NOT FORGET it.  Click Next
j)  Click the "Save the exported certificate" link.  This will save a file called cert.pfx in the download directory of your browser.
5) Configure the certificates to be used in Apache on the server
a) Copy the saved cert.pfx file from the previous step to the /tmp directory of the iPrint server  ( A tool such as WinSCP can be used for this task.)
b) Open a server terminal session for the iPrint server (putty.exe, for example can be used)
c) Change to the /tmp directory and run:
openssl pkcs12 -in cert.pfx -nocerts -out wildkey.pem
You will be prompted to enter the password from step 4i.
Executing this command should return "MAC verified OK".
You will then be prompted to enter PEM pass phrase DO NOT FORGET this.  In this step you are creating a new PEM pass phrase.
You will then be prompted to verify the newly created pass phrase and assuming you enter it correctly, you will be returned to the console prompt.
d) In the terminal session, run:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out wildcert.pem
You will be prompted to enter the password from step 4i
Executing this command should return "MAC verified OK".
e) In the terminal session, run:
openssl rsa -in wildkey.pem -out wildserver.key
You will be prompted for the pass phrase from step 5c

f) In the same server console, run:
cat wildserver.key >> wildcert.pem
g) In the same server console, run:
openssl rsa -in wildkey.pem -out wildkey1.pem
You will be prompted to enter the passphrase from step 5c
6) Prepare the server and Apache to use newly created wild card certificate
a) Copy the wildkey1.pem and wildcert.pem files to /etc/ssl/servercerts
b) Edit the /etc/apache2/vhosts.d/vhost-ssl.conf - Make a backup copy of the vhost-sll.conf prior to making any changes.
c) Change the following lines in the vhost-ssl.conf:
SSLCertificateFile from /etc/ssl/servercerts/servercert.pem to
SSLCertificateFile /etc/ssl/servercerts/wildcert.pem

and
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem to
SSLCertificateKeyFile /etc/ssl/servercerts/wildkey1.pem
d) Save the file
e) Restart Apache (rcapache2 restart)

If the above process fails to work, edit the /etc/apache2/vhosts.d/vhost-ssl.conf and change the lines back to the defaults or restore the back up file and restart Apache.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.