Generating the Signing Request
Obtaining an x509 Certificate from a Third-party CA
Assigning the x509 Certificate to the eDirectory LDAP Server


The purpose of this AppNote is to demonstrate how to establish an SSL/TLS connection from eDirectory to the LDAP client by using a x509 digital certificate. This certificate would be issued by a third- party Certificate authority, such as Verisign, OPEN SSL CA, Entrust CA, or Microsoft Certificate server.

This AppNote explains the following things:

1. How to generate a certificate signing request, using eDirectory 88 SP2 to a third-party certificate authority (CA).

2. How to obtain an x509 certificate from a third-party CA.

3. How to assign an x509 certificate to the eDirectory LDAP server for SSL/TLS connection with secure LDAP communication.


eDirectory 88SP2 with the latest security patch should be installed, with access to a third-party certificate server. The trusted CA’s certificate should be obtained from the certificate authority.


Here are a few reasons why we need to establish an SSL/TLS connection using a X509 certificate obtained from a third-party certificate authority:

  • To allow the organization to take advantage of the provider’s understanding of the technical, legal, and business issues associated with certificate use. This can typically be involve certificate policies, certificate practice statements, etc.
  • To allow LDAP users a greater degree of confidence when conducting secure transactions with the organization.
  • To allow the organization to take advantage of the expertise of a professional service provider.
  • To allow the organization to use certificate-based security technology while developing an internally managed PKI.

Generating the Signing Request

1. Log in to eDirectory as an administrator using iManager 2.7.0.

2. Browse to the Novell Certificate Server role.

3. Click on the Create Server certificate task.
The Server Certificate Creation wizard appears as shown below.

Figure 1 – Create Server Certificate wizard

4. Provide the LDAP server name and the Nickname.

5. Select the Custom option.

6. Click Next.

A web page appears, displaying two options to generate the certificate signing request.

The options are:

1) Use the Novell Organizational CA to sign the certificate signing request.

2) Use an External certificate authority to the certificate signing request.

7. Because the objective is to obtain a certificate from the third party CA, select External certificate authority.

8. Click Next.

Figure 2 – Selecting the external certificate authority

9. In the key size selection window, select the key size of the public/private keys to be generated by Novell security software.

10. Click Next.

The larger the key size, the greater the security that can be provided for communications.

Figure 3 – Specifying the private key

A web page containing subject name that is to be displayed on the X509 certificate appears.

11. Type the correct subject name for LDAP Server and click Next.

Figure 4 – Certificate parameters

Now all the details (Subject name, key pair size, certificate name) of the certificate signing request for the eDirectory SP2 LDAP server are displayed as shown as below.

Figure 5 – Parameter display

12. Click Finish button to obtain the Certificate signing request.

The certificate signing request is displayed as shown as below.

13. Save the CSR to disk.

Figure 6 – CSR results

Next, you need to create a trusted root container and trusted root in eDirectory to explicitly trust the third party CA. To do so,

14. In iManager2.7.0, browse to Novell certificate server role and click on trusted root container. The following web page appears.

Figure 7 – Creating the Trusted Root Container

14. Give a name for the trusted root container and select context as “Security”.

15. Click OK.

The Security container is successfully created.
16. Browse to the Novell certificate server.

17. Click on the trusted root to import the third-party CA certificate into eDirectory trusted certificates.

18. Provide the CA certificate obtained from CA to eDirectory as follows, and finish the wizard.

Figure 8 – Creating the Trusted Root

Obtaining an x509 Certificate from a Third-party CA

You can obtain an x509 certificate for eDirectory LDAP server by following the steps below.

1. Submit the certificate signing request (CSR) obtained previously. The Entrust freecerts CA provides free digital certificates to use. The URL is

2. Complete the process to obtain the certificate.

The certificate retrieval process is shown below:

Figure 9 – Retrieving the certificate

Assigning the x509 Certificate to the eDirectory LDAP Server

Next, you need to assign the x509 certificate to the eDirectory LDAP server in order for the SSL/TLS connection to have secure LDAP communication. Once the server certificate is obtained from third party CA, that server certificate must be assigned to the LDAP server. To do this,

1. Log in into eDirectory using iManager 2.7.0 and browse to Novell Certificate Access.

2. Select the Nickname of the server for which the CSR has been generated and click Import Hyperlink.

3. Assign the X509 certificate obtained from the third-party CA.

Figure 10 – Importing the X509 certificate

After a successful import of LDAP server certificate, the following window appears.

Figure 11 – Import results

To assign the imported server certificate to the LDAP server,

4. Go to LDAP > LDAP options > View LDAP servers > Connections.

5. Assign the server certificate object to the newly imported certificate that was issued by the third-party CA.

This can be seen in following screen shot:

Figure 12 – LDAP Server parameters


After you obtain an X509 digital certificate from an external CA and assign the certificate to the LDAP server, eDirectory can establish SSL connections using the server certificate obtained from the third-party CA. All LDAP clients receive the certificate from eDirectory server for their secure LDAP connections. The LDAP client is needed to import the trusted third-party CA certificate for SSL communications with the eDirectory server.

1 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 5 (1 votes, average: 4.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: anilkss
Jan 14, 2008
9:23 am