What needs to be done after replacing Certificate Authority Access Manager environment

  • 7023969
  • 25-Jun-2019
  • 11-Jan-2021


Access Manager 4.4
Access Manager 4.3
Access Manager 4.2
Access Manager 4.1


There are very few cases where the Certificate Authority needs to be recreated. 

From a NAM perspective we have processes in place for example if Primary AC needs to be moved to another server.  In this the CA is moved to Secondary AC using following procedure:  Converting a Secondary Administration Console into a Primary Console

However, what if you don't have an ambkup?  First rule is make sure you grab one at least on a weekly basis!  (An ambkup backs up the NAM related configurattion and allows import to another NAM server with same version, hostname and IP.  See:

So if an ambkup is not available  you can still try to move CA to Secondary AC using:

In this case since the CA's keys/certs did not change the existing certificates should continue to work after moving.

If all else fails and you need to recreate the CA for reasons such as:

  • The CA has reached the end of its validity (the CA is expiring).

  • The CA has been compromised.

  • You want to replace the CA certificate for some other reason (a stronger key is desired, a new security policy has made it necessary, you want to have an externally signed CA, etc.).

For more information on these reasons and how to recreate CA see:

Ok, now to the purpose of this TID.  You've recreated the CA, now what do I do to get NAM working again?



1) Export the new CA Certificate as der file.  First cd /opt/novell/devman/bin then run following being sure to replace <password> with admin password.


source /opt/novell/eDirectory/bin/ndspath  &&  /opt/novell/java/bin/java -cp certtool.jar:/opt/novell/lib64/npki.jar com.novell.nids.certmgr.DirCertTool -edirIP -edirUser cn=admin.o=novell -edirPwd <password> -exportCACert -file ca.der

You an also export by going to Roles and Tasks in AC GUI -> NetIQ Certificate Server Role -> Configure Certificate Authority -> Certificates -> Export Self-Signed without private key as der

*If you can't get to iManager on Primary AC you can download and use iManager Workstation, which can be extracted on Linux or Windows.  See iManager on Netiq Download Site


2) Add exported CA certificate to NAM keystores.


The CA der file needs to be added manually through keytool in following locations.

AC:  /var/opt/novell/novlwww/devman.cacerts

IDP and AG:  /opt/novell/devman/jcc/conf/jcc_devman.keystore


A) For AC devman.cacerts the keystore pass is devman.

Here is an example of importing the ca.der into devman.cacerts


/opt/novell/java/bin/keytool -import -alias configca_2 -keystore devman.cacerts -trustcacerts -file ca.der -storepass devman

* Do the same on any Secondary Acs.


B) For jcc_devman first you need to get the password for the keystore.

On each IDP and AG...


cd /opt/novell/devman/jcc and run: ./conf/ksinfo.sh dump


Example of importing cert to jcc_devman.keystore


/opt/novell/java/bin/keytool -import -alias edir_2 -keystore jcc_devman.keystore -trustcacerts -file ca.der -storepass U01eXoV6iyPLVA7

C) For the remaining keystores the ca.der can be added via the Admin Console GUI.


First go to Security -> Trusted roots and import it. 

The original one will be called configca.  There really is no need to remove that one.  Can just import it as configca_2 for example.


Next add it to:

  •  IDP cluster|'s truststore
  • AG ESP truststore
  • Proxy Trust store


3) Replace existing certificates already in use by NAM signed by original CA.


A) Recreate default certificates (Non NAM), however still used for config store ldap etc.

In admin Console GUI-> Roles and Tasks -> Netiq Certificate Server -> Create default Certificate.

  • Step 1 -> Browse to Admin Console server name and select it. (If secondary Admin Consoles.

  • Step 2 -> Click Radio button for "Yes" under Force the generation of new default certificates.
    Ensure the IP Addresses are correct for "SSL CertificateIP and SSL CertificateDNS", if not specify in the available field.

  • Step 3 -> Click Finish and once done ensure the status of each completes properly. 

    Alternative command line option is to run:

ndsconfig upgrade

Enter admin user with syntax like "admin.novell" and password when prompted.

B) Recreate Admin-Console Certificate used by tomcat instance that runs iManager.

  • Go to AC GUI -> Security -> Certificates -> New -> Create a new cert called admin-console_2.
    Ensure the subject name matches the FQDN name of the Admin Console and I'd recommend setting months valid to something like 60.

  • Once created click on the new certificate and add it to keystore.

    This will add the new cert to the keystore on the Admin Console filesystem at /var/opt/novell/novlwww/.keystore.

  • Click the browse button, then once all the keystores are presented, click on the Admin-Console keystore.

  • Click the "Replace" button and browse to the newly created admin-console_2 cert.  Ensure alias remains "tomcat"
C) Need to update/replace the Admin Console's devman.keystore.

The devman.keystore.his keystore is used with device manager and listens on port 8444.  NAM devices communicate on this port when sending health  info etc to the Admin Console.

  • Export the admin-conssole_2 cert you just recreated.

    Before we export we need to see what keystore pass the existing devman.keystore is using.  To find this out check the server.xml on the Admin Console at: 
    Search for "devman.keystore".  This should show up in devman connector section.  Just take note of the value of keystorePass .e.

  • Go to  AC GUI -> Security -> Certificates -> export public/private key with jks format using the password in the server.xml.

  • Copy this file to Admin Console filesystem at: /var/opt/novell/novlwww/devman.keystore.

    Probably want to rename the existing one first and ensure new file has same permissions and ownership as original.

  • After the default certificates are created, need to restart eDirectory and novell-ac on the Admin Console. Execute the following at the terminal to do this.

    ndsmanage stopall && rcnovell-ac restart

    Note: When novell-ac is run it will also start eDirectory


 D) Test-* Certificates.

These certificates are meant to be replaced.

If they are currently in use we need to replace them with either externally signed certs or certificates minted with new Certificate Authority.  So need to verify if they are in use. 

Check the Security -> Certificates -> and note the test-* certificates that have a device associated with them and replace them.


E) Take note of any other Certificates that have issuer of original Certificate Authority and replace them as well.