5.4 Server Certificate Issues

5.4.1 External CAs

Some third-party CAs such as VeriSign use an intermediate CA to sign server certificates. In order to import these certificates into a Server Certificate object, the server certificate as well as the Intermediate CA and the trusted root certificate must be in a single PKCS #7 formatted file (.P7B). If your CA cannot provide you with such a file, you can create one yourself by following these steps on a client machine with Internet Explorer 5.5 or later installed.

  1. Import the server certificate into Internet Explorer. You can do this by double-clicking on the file or by selecting File > Open and selecting the filename.

  2. If the external CA's certificate is not already listed as a trusted CA in Internet Explorer, import the Intermediate CAs as well as the root level CA in the same manner.

  3. In Internet Explorer, select Tools > Internet Options. Select the Content tab, then select the Certificates button.

  4. On the Personal tab, find the server certificate. Select it and click Export.

  5. Accept the defaults in the wizard until you get to the Export File Format page, then select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.p7b) format.

  6. Continue with the wizard.

    The PKCS #7 file can now be imported into the Server Certificate object.

5.4.2 Moving a Server

If a Server object is moved, the LDAP objects, SAS service object, and Server Certificate objects (Key Material Objects) for that server should also be moved. But the server auto health check will move the objects for you the next time you restart the server.

5.4.3 DNS Support

If DNS is configured for the server, the default subject name for a server certificate will be:

.CN=<Server's DNS Name>.O=<Tree Name>

Otherwise, the default subject name is the fully distinguished name of the server. You can modify the default subject name by selecting Custom during the certificate creation process.

5.4.4 Removing a Server from eDirectory

When removing a server from eDirectory™ and then reinstalling it into the same context with the same name, a successful reinstallation occurs only if the SAS Service object representing the removed server is also deleted, if it existed.

The process should go like this:

  1. Determine if the default certificates need to be backed up. If so, back them up.

  2. Delete the default certificates.

  3. Delete the SAS object.

For example, for a server named MYSERVER, a SAS object named SAS Service - MYSERVER could exist in the same container as the server. This SAS object must be manually deleted (using iManager) after the server is removed from the tree, but before the server is reinstalled into the tree.

If the server is the Organizational CA or the SD Key server, you must complete some additional steps. These steps are documented in TID #3623407.

The default server certificates created for the server should also be removed so that they are re-created when the server is reinserted.

These certificates are SSL Certificate IP - MYSERVER and SSL Certificate DNS - MYSERVER. You should be careful when deleting these certificates. If data has been encrypted by using either of these certificates, the data must be retrieved before the certificates are deleted.

5.4.5 Step-Up Cryptography, Server-Gated Cryptography, or Global Certificates

Some external Certificate Authorities provide certificates that enable 40-bit or 56-bit Web browser clients to use 128-bit cryptography when communicating with a server configured with their certificates.

These certificates are sometimes referred to as global certificates or server-gated cryptography certificates. The capability can be referred to as step-up cryptography.

These certificates can be used successfully for LDAP and Web Server connections only if the Web browser has 128-bit cryptography. Web browsers with 40-bit or 56-bit cryptography experience unrecoverable SSL errors when communicating with servers configured with these certificates.

If Web browsers with 40-bit or 56-bit cryptography must communicate with your server, you must request a different type of certificate from your external CA.

5.4.6 Subject Name Limitations for CAs

Server certificates with an @ character in their subject names might cause SSL connections to fail. Contact Technical Support for a resolution of the problem.