3.2 Server Certificate Object Tasks

3.2.1 Creating Server Certificate Objects

This task is described in Section 2.4, Creating a Server Certificate Object.

3.2.2 Creating Default Server Certificate Objects

The Certificate Server installation creates default Server Certificate objects.

  • SSL CertificateDNS - server_name

  • A certificate for each IP address configured on the server (IPAGxxx.xxx.xxx.xxx - server_name)

  • A certificate for each DNS name configured on the server (DNSAGwww.example.com - server_name)

NOTE:eDirectory 8.8 SP8 does not automatically create SSL CertificateIP. SSL Certificate DNS contains all the IPs listed in the Subject Alternative Name.

When you attempt to create or repair the default certificates using the PKI iManager plug-in, the SSL CertificateIP certificate will not be created or repaired by default. However, a check box has been provided in the plug-in interface which you can select to override the default behavior and force the creation/repair of the SSL CertificateIP certificate.

If these certificates become corrupt or invalid for some reason, or if you just want to replace the existing default certificates, you can use the Create Default Server Certificates Wizard, as described in the following procedure:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, select NetIQ Certificate Server > Create Default Certificates.

  4. Browse for and select the server or servers that you want to create default certificates for, then click Next.

  5. Select Yes if you want to overwrite the existing default server certificates or select No if you want to overwrite the existing default server certificates only if they are invalid.

  6. (Single Server only) If you want to use the existing default IP address, select that option. If you want to use a different IP address, select that option and specify the new IP address.

  7. (Single Server only) If you want to use the existing DNS address, select that option. If you want to use a different DNS address, select that option and specify the new DNS address.

  8. Click Next.

  9. Review the summary page, then click Finish.

If you want more control over the creation of the Server Certificate object, you can create the Server Certificate object manually. For more information, see Section 2.4.1, Manually Creating a Server Certificate Object.

3.2.3 Importing a Public Key Certificate into a Server Certificate Object

You import a public key certificate after you have created a certificate signing request (CSR) and the Certificate Authority (CA) has returned the signed public key certificate to you. This task applies when you have created a Server Certificate object by using the Custom option with the External CA signing option.

There are several ways in which the CA can return the certificate. Typically, the CA either returns one or more files each containing one certificate, or returns a file with multiple certificates in it. These files can be binary, DER-encoded files (.der, .cer, .crt., .p7b) or they can be textual, Base64-encoded files (.cer, .b64).

If the file has multiple certificates in it, it must be in PKCS #7 format in order to be imported into a Server Certificate object. Additionally, the file must contain all of the certificates to be imported into the object (the root-level CA certificate, any intermediate CA certificates, and the server certificate).

If the CA returns multiple files to you as a result of signing the certificate, each file contains a different certificate that must be imported into the Server Certificate object. If there are more than two files (one for the root-level CA, one or more for the intermediate CAs, and one for the server certificate), these files must be combined into a PKCS #7 file in order to be imported into a Server Certificate object.

There are several ways to create a PKCS #7 file. One way is to import all of the certificates into Internet Explorer. After they have been imported, the server certificate and all of the certificates in the certificate chain can be exported in PKCS #7 format by using Internet Explorer. For more information on how to do this, see Section 4.4.2, External CAs.

Some CAs do not return a root-level CA certificate along with the server certificate. In order to obtain the root-level CA certificate, contact the CA provider directly or call Technical Support.

To import the certificates into a Server Certificate object:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click NetIQ Certificate Access > Server Certificates.

  4. Click Import next to the Server Certificate object you want to modify.

  5. Browse for and select the certificate data file.

  6. Browse for and select the trusted root data file.

    If all certificates are contained in a single file, leave this field blank.

  7. Click OK.

3.2.4 Exporting a Trusted Root or Public Key Certificate

You export a certificate to a file for the following reasons:

  • A client (such as an Internet browser) can use it to verify the certificate chain sent by a cryptography-enabled application.

  • To provide a backup copy of the file.

You can export the certificate in two file formats: DER-encoded (.der) and Base64-encoded (.b64). The .crt extension can also be used for DER-encoded certificates. You can also export to the system clipboard in Base64 format so that the certificate can be pasted directly into a cryptography-enabled application.

To export a trusted root or public key certificate:

  1. Launch iManager.

  2. Log in to the eDirectory tree as a user with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click NetIQ Certificate Access > Server Certificates.

  4. Select the Server Certificate object the particular application is configured to use.

  5. Click Export.

    This opens a wizard that helps you export the certificate to a file.

  6. Use the drop-down list to specify which certificate to export.

  7. Choose not to export the private key.

  8. Select an export format (binary DER or text encoded base64), then click Next.

  9. Click Save the exported certificate to a file and save the file to a location of your choice.

  10. Click Close > Close > OK.

  11. Use the file as needed.

    For example, if you want to install a trusted root certificate in an Internet Explorer browser, double-click the file. This initiates a wizard that will accept the CA as a trusted root. Accepting the CA as a trusted root means that the browser automatically accepts SSL connections with services that use certificates issued by this CA.

3.2.5 Deleting a Server Certificate Object

You should delete a Server Certificate object if you suspect that the private key has been compromised, if you no longer want to use the key pair, or if the trusted root in the Server Certificate object is no longer trusted.

IMPORTANT:After the Server Certificate object is deleted, you cannot recover it unless you have previously made a backup. Before you delete this object, make sure that no cryptography-enabled applications still need to use it.You can re‑create a Server Certificate object, but you will need to reconfigure any applications that referenced the old object.

To delete a Server Certificate object:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click NetIQ Certificate Access > Server Certificates.

  4. Select the Server Certificate object you want to delete.

  5. Click OK to delete the object.

3.2.6 Viewing a Server Certificate Object's Properties

In addition to the eDirectory rights and properties that are viewable with any eDirectory object, you can also view properties specific to the Server Certificate object, including the properties of the public key certificate and the Trusted Root certificate associated with it, if they exist.

To view a Server Certificate object's properties:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click NetIQ Certificate Access > Server Certificates.

  4. Click the nickname of the Server Certificate object you want to view.

  5. To view the certificate chain, click the plus sign (+) in front of the certificate’s nickname to expand the view.

  6. Click Cancel.

3.2.7 Viewing a Server Certificate Object's Public Key Certificate Properties

To view a Server Certificate object's public key certificate properties:

  1. Launch iManager.

  2. Log in to the eDirectory tree as a user with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Server Certificate object you want to view.

  5. Click OK.

  6. Click Public Key Certificate.

    • If a public key certificate is installed, the property page displays the subject's fully typed name, the issuer's fully typed name, and the validity dates of the public key certificate.

    • If the public key certificate has not yet been installed, the property page indicates this.

  7. To view the certificate chain, click the plus sign (+) in front of the certificate’s nickname to expand the view.

  8. To view additional information about a public key certificate, click the certificate’s nickname to view the Details page.

    The Details page has information contained in the public key certificate.

  9. Click Close > Cancel.

3.2.8 Viewing a Server Certificate Object's Trusted Root Certificate Properties

To view a Server Certificate object's Trusted Root certificate properties:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and select the Server Certificate object you want to view.

  5. Click OK.

  6. Click Trusted Root Certificate.

    • If a Trusted Root certificate is installed, the property page displays the subject's fully typed name, the issuer's fully typed name, and the validity dates of the trusted root certificate.

    • If the Trusted Root certificate has not yet been installed, the property page indicates this.

  7. To view the certificate chain, click the plus sign (+) in front of the certificate’s nickname to expand the view.

  8. To view additional information about a Trusted Root certificate, click the certificate’s nickname to view the Details page.

    The Details page has information contained in the trusted root certificate.

  9. Click Close > Cancel.

3.2.9 Backing Up a Server Certificate Object

NetIQ Certificate Server allows you to store certificates signed by third-party certificate authorities in server certificate objects. Often these certificates cost a significant amount of money. Unfortunately, if an unrecoverable failure happens on the server that owns the certificates, the server certificate object can no longer be used. In order to protect against such failures, you might want to back up server certificates signed by external CAs and their associated private keys. Then, if a failure should occur, you can use the backup file to restore your server certificate object to any server in the tree that has Certificate Server version 2.21 or higher installed.

NOTE:The ability to back up a Server Certificate object is only available for objects created with Certificate server version 2.21 or later. In previous versions of Certificate Server, the server’s private key was created in a way that made exporting it impossible.

The back up file contains the server’s private key, public key certificate, trusted root certificate, and any intermediate CA certificates stored. This information is stored in PKCS #12 format (also known as PFX).

A server certificate object should be backed up when it is working properly.

To backup a Server Certificate object:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Server Certificate object you want to back up.

  5. Click OK.

  6. Click the Certificates tab.

  7. Click either the Trusted Root certificate or the public key certificate. Both certificates are written to the file during the backup operation.

  8. Click Export.

    This opens a wizard that helps you export the certificates to a file.

  9. When asked whether to export the private key, select Yes, then click Next.

  10. Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file.

  11. Click Next.

  12. Click Save the exported certificate to a file. Select the filename and the location for the backup file.

  13. Click Close.

    The encrypted backup file is written to the location specified. It is now ready to be stored in a secure location for emergency use.

IMPORTANT:The exported file should be put on a diskette or some other form of backup media and stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a vault to ensure that it is available when needed, but inaccessible to others.

3.2.10 Restoring a Server Certificate Object

If the Server Certificate object has been deleted or corrupted, or if the server that owned the Server Certificate object has suffered an unrecoverable failure, the object can be restored to full operation using a backup file created as described in Backing Up a Server Certificate Object.

The ability to restore a Server Certificate object is only available in Certificate Server version 2.21 or later.

If you were unable to make a backup of the server certificate object, the server certificate object might still be usable if NICI 2.x is installed on the server and a backup was made of the NICI configuration information. For information on how to back up and restore the NICI configuration files, see the “Backing Up and Restoring NICI” section in the Novell International Cryptographic Infrastructure 2.7 Administration Guide.

To restore the Server Certificate object:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. Delete the old server certificate object.

  4. On the Roles and Tasks menu, click NetIQ Certificate Server > Create Server Certificate.

    This opens the Create a Server Certificate Wizard that creates the object.

  5. In the wizard, specify the server that should own the server certificate object, and specify the certificate nickname of the server certificate. The server must have Certificate Server version 2.21 or higher installed and be up and running.

  6. Select the Import option, then click Next.

  7. Browse for and select the backup file, enter the backup file password, then click Finish.

The server’s private key and certificates have now been restored and the Server Certificate object is fully functional. The backup file can be stored again for future use if desired.

IMPORTANT:Be sure to protect your backup media.

3.2.11 Server Certificate Objects and Clustering

You can set up Server Certificate objects in a clustered environment to ensure that your cryptography-enabled applications that use Server Certificate objects always have access to them. Using the backup and restore feature for Server Certificate objects, you can duplicate the object's keying material from one node in the cluster to all nodes. Using this process for keying material signed by an external CA saves you money by allowing you to duplicate the keying material for one server certificate rather than requiring new keying material for every node in the cluster.

To set up server certificates to work in a clustered environment:

  1. Create a server certificate on a server in the cluster, using either the Organizational CA or an external CA of your choice. See Section 2.4, Creating a Server Certificate Object.

    When you create the server certificate objects, the Common Name (CN) portion of the certificate's subject name should be an IP or DNS name that is specific to the service. Otherwise, you receive a browser warning message indicating that the IP or DNS name on the URL does not match that in the certificate.

    If different services have different IP or DNS addresses, you need to create a server certificate for each service.

  2. Back up the keying material for this server certificate object and restore it by creating a Server Certificate object with the same key pair name as the one you created in Step 1 on all remaining servers in the cluster.

    See Backing Up a Server Certificate Object.

3.2.12 Validating a Server Certificate

If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate by using iManager. Any certificate in the eDirectory tree can be validated, including certificates issued by external CAs.

The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs.

A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension or an OCSP AIA extension are checked for revocation.

A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information is provided for these certificates, indicating which certificate is considered invalid and why. Click Help for more information about the reason.

To validate a certificate:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click NetIQ Certificate Access > Server Certificates.

  4. Select the Server Certificate object you want to validate.

  5. Click Validate.

    The status of the certificate is provided in the Certificate Status field. If the certificate is not valid, the reason is given.

3.2.13 Revoking a Trusted Root or Self Signed Certificate

You might find it necessary to revoke a certificate if the key or the CA becomes compromised, if the certificate has been superseded by another certificate, if the certificate is removed from the CRL, cessation of operation, etc.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Server Certificate object you want to modify.

  5. Click OK.

  6. Click the Certificates tab.

  7. Click Trusted Root Certificate or Self Signed Certificate.

  8. Select the certificate, then click Revoke.

    This starts the Revoke Certificate Wizard. Follow the prompts to revoke the certificate.

  9. Click Finish.

3.2.14 Moving a Server Certificate Object to a Different Server

You can move a Server Certificate object from one server to another by using the backup and restore procedures outlined in Backing Up a Server Certificate Object and Restoring a Server Certificate Object.

  1. Make sure the Server Certificate object is functional.

  2. Back up the Server Certificate object.

  3. Restore the Server Certificate object to the desired server.

IMPORTANT:Be sure to protect your backup media.

3.2.15 Replacing a Server Certificate Object's Keying Material

The private key and certificates in the server certificate object can be replaced. They should only be replaced using an internally generated PFX file created during a backup of a server certificate object. Externally generated PFX files can also be used if they contain the private key, the server certificate, and the entire certificate chain. The key and certificates in the file need not match the ones in the object; the data in the file overwrites the key and certificates in the object.

Replacing the private key and certificates in the server certificate object is a serious matter. If the key and certificates do not exactly match the ones in the object, it is the same as deleting the current server certificate object and creating a new one. See the section Deleting a Server Certificate Object for more information on the consequences of deleting the object.

If the key and certificates do match the ones in the object, replacing the keying material has no effect except to regenerate a few attributes used by the Secure Authentication Services (SAS) and NILE services.

To replace the keying material on the Server Certificate object:

  1. As a precaution, back up the server certificate object with the private key. See Backing Up a Server Certificate Object.

  2. Launch iManager.

  3. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  4. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  5. Browse to and select the Server Certificate object you want to modify.

  6. Click OK.

  7. Click the Certificates tab.

  8. Click Trusted Root Certificate or Self Signed Certificate.

    The operation can be started from either page. It replaces both certificates as well as the private key and any other certificates in the certificate chain.

  9. Select the certificate, then click Replace.

    This opens a wizard that helps you specify the PFX (backup) file.

  10. Browse for and select the backup file, enter the backup file password, then click OK.

The server’s private key and certificates have now been replaced and the server certificate is fully functional. The backup file should be stored again for future use if desired.

IMPORTANT:Be sure to protect your backup media.