4.3 User Certificate Tasks

4.3.1 Creating User Certificates

This task is described in Creating a User Certificate.

4.3.2 Creating User Certificates in Bulk

This feature allows you to create user certificates for multiple users at the same time, using one sequence of operations.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Server > Create User Certificate.

    This opens a wizard that helps you create the user certificate.

  4. Browse for and select all users you want to create a user certificate for.

  5. Follow the wizard prompts to create the certificate for each user. For specific information on the wizard pages, click Help.

4.3.3 Importing a Public Key Certificate into a User Object (with or without the Private Key)

You can import any public key certificate into a user object (for example, a certificate signed by a third-party certificate authority). This certificate can appear as one of two types of files:

  • DER: Contains a public key certificate only.

  • PFX or PKCS#12: Contains a public key certificate as well as a private key.

After it is imported, the certificate is stored in the User object and appears on the list of certificates available.

NOTE:When importing a PKCS#12 certificate, only the public key certificate and private key are stored on the User object. No other certificates are stored. Other certificates in the user’s certificate chain should probably be stored in the CN=Trusted Roots.CN=Security container (create a new Trusted Root object for each certificate in the chain).

To import a Public Key Certificate into a User object:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object to import the public key certificate into.

  5. Click New.

  6. Specify a nickname for the user certificate.

    The nickname should be unique and should help you identify the certificate. You can enter up to 64 characters in the Certificate Nickname field.

  7. Select the import creation method, then click Next.

  8. Browse for and select the certificate to import, then click OK.

  9. (Conditional) If you are importing a certificate with a private key, enter the password for the private key, then click Next.

  10. Click Finish.

    This stores the certificate in the User object, and the certificate appears on the list of certificates available to this user.

4.3.4 Viewing a User Certificate's Properties

In addition to the eDirectory rights and properties that are viewable with any eDirectory object, you can also view properties specific to the user certificate, including the issuer, the certificate status, the private key status, and the validation period.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object whose certificate properties you want to view.

  5. To view the certificate chain, click the plus sign (+) in front of the certificate’s nickname to expand the view.

  6. Click the nickname of the certificate to view its details.

  7. Click Close when you are done viewing.

4.3.5 Exporting a User Certificate

In order to exchange secure e-mail with another person, you must first have the other person’s public key certificate. One way of obtaining that certificate is to export it using iManager. The other person’s certificate can also be obtained by using LDAP or e-mail.

To export your own or any other user’s public key certificate:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object whose certificate you want to export.

  5. Select the certificate, then click Export.

    This opens a wizard that helps you export the user certificate to a file. If you are logged in as the user that owns the certificate, select No when asked if you want to export the private key. See Exporting a User Certificate and Private Key.

  6. If you want to export the private key, select Export private key and provide a password to protect the private key.

  7. Select an export format if you are not exporting the private key, then click Next.

  8. Click Save the exported certificate to a file and save the file to a location of your choice.

  9. Click Close > Close.

4.3.6 Exporting a User Certificate and Private Key

In order to use a certificate for secure e-mail, authentication, or encryption, both the private key and the certificate must be available to the cryptography-enabled application. You must export the user certificate and private key and place it in a location that the application has access to in order for the application to use them.

The private keys in a user’s object belong to that user. Only someone logged in as that user can export the private key. No other user, not even the network administrator, has rights to export another user’s private key.

To export your own private key and certificate:

  1. Launch iManager.

  2. Log in to the eDirectory tree as the user who owns the certificate.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object whose certificate you want to export.

  5. Select the certificate, then click Export.

    This opens a wizard that helps you export the user certificate to a file.

  6. Select Export private key, provide a password to protect the private key, then click Next.

  7. (Optional) Click Export the Certificate into the Browser.

  8. Click Close > Close.

    The encrypted file is written to the location specified. It is now ready to be imported into a cryptography-enabled application.

IMPORTANT:The exported file can be kept to provide a backup. If so, it should be stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a safe place to ensure that it is available when needed, but inaccessible to others.

4.3.7 Validating a User Certificate

If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate by using iManager. Any certificate in the eDirectory tree can be validated, including certificates issued by external CAs.

The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs.

A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension or an OCSP AIA extension are checked for revocation.

A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information is provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.

To validate a certificate:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object whose certificate you want to validate.

  5. Select the user certificate you want to validate.

  6. Click Validate.

    The status of the certificate is provided in the Certificate Status field. If the certificate is not valid, the reason is given.

NOTE:If the user certificate was signed by a third-party CA, the certificate chain must be in the Trusted Roots container in the Security container (CN=Trusted Roots.CN=Security) for the validation to succeed. Typically, the certificate chain consists of a single, root-level CA or it consists of an Intermediate CA and a root-level CA. The name of the Trusted Roots container must be Trusted Roots and each certificate in the chain must be stored in its own Trusted Root object. For instructions on how to create a Trusted Roots container and Trusted Root objects, see Creating a Trusted Root Container and Creating a Trusted Root Object.

When validating user certificates or intermediate CA certificates signed by external CAs, the external CA’s certificate must be stored in a Trusted Root object in order for the certificate validation to be successful. The Trusted Root object must be in a Trusted Root Container named Trusted Roots and it must be located in the Security container.

4.3.8 Revoking a User Certificate

You might find it necessary to revoke a certificate if the key or the CA becomes compromised, if the certificate has been superseded by another certificate, if the certificate is removed from the CRL, cessation of operation, etc.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object whose certificate you want to validate.

  5. Select the user certificate you want to revoke.

  6. Click Revoke.

    This starts the Revoke Certificate Wizard. Follow the prompts to revoke the certificate.

  7. Click Finish.

4.3.9 Deleting a User Certificate and Private Key

If a user certificate has become invalid or you suspect the private key has been compromised in some way, you might need to delete the user certificate and private key.

Before you delete a user certificate and private key, you should revoke the user certificate. See Section 4.3.8, Revoking a User Certificate.

To delete a user certificate and private key:

  1. Launch iManager.

  2. Log in to the eDirectory tree as the user who owns the certificate or as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Novell Certificate Access > User Certificates.

  4. Browse for and select a User object whose certificate you want to delete.

  5. Select the user certificate you want to delete.

  6. Click Delete.