A Forum reader asked the following question …

“The server that hosted the tree certificate of authority crashed, and the CA was not backed up. So it is my understanding that the old one must be deleted and recreated along with all the server certificates
for all the servers in the tree. No user certificates are involved.

My question is this: are there any other objects that need to be deleted and recreated, such as the W0 object?”

And here’s the reply from Richard Beels …


Your new server should be a trustee of the W0 object. You’ll want to grab SDIDIAG and verify the tree keys first. See:
for the instruction set.

Here’s a list of items to check:

Security’s NDSPKI:

Tree CA DN=<CA server>
Public assigned [Read] to NDSPKI Tree CA DN attribute, No Inherit
W0’s NDSPKI:SD Key ServerDN=<CA server>
All servers need to be trustees of W0
SD Key Server DN (and all other Key Servers if more than one) need:
[Entry Rights] Privilege: Browse
[All Attribute Rights] Privileges: Compare, Read, Write, Add Self
Leave the Inheritable box checked.

All other servers need:

[Entry Rights] Privilege: Browse
[All Attribute Rights] Privilege: Read
Leave the Inheritable box checked.
CA’s Host Server=<CA server>

CA’s Trustees:

Host Server has [Supervisor] to All Attrs
Public has [Read] to Cross Certificate Pair & Host Server attrs

A final test is to run PKIDiag on all the servers.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Jul 26, 2006
12:00 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow