3.10 PKI Health Check

NetIQ Certificate Server incorporates a process that maintains the health and integrity of the Certificate Server components. This process is called the PKI Health Check and it runs when:

When PKI Health Check runs, it performs the following tasks:

Table 3-2 PKI Health Check Tasks

Task

Function

Verifies the server’s link to the SAS Service object

This task checks to see if there is a link from the server object to a SAS:Service object. If the link exists, the task makes sure that the object is named correctly and is in the same context as the server. If the link does not exist, the task checks to see if a correctly named object exists in the same context as the server. If such an object exists, the task creates a link from the server to the object.

Verifies the SAS Service object

This task checks to see if a SAS:Service object exists. If it does not exist, the task creates one and creates a link from the server object to the new object. Then, the task checks to see if the SAS:Service object has the necessary eDirectory rights. If it does not, the task attempts to give the SAS:Service object the rights it needs.

Verifies the links to the KMOs

This task reads the list of Server Certificate objects (or KMOs) that are linked to the SAS:Service object. It checks whether the KMOs are all named correctly and attempts to fix their names if they are not. The task also checks whether the KMOs are all in the same context as the server object and attempts to move them to the correct context if they are not.

Checks the Server Certificates (KMOs)

This task reads all the names of KMOs that are in the same container as the server object and puts them in a list. The task then performs the following for each KMO in the list:

  • Attempts to populate the NDSPKI:Not Before and NDSPKI:Not After attributes with the validity dates of the certificate.

  • Checks whether Public has the Read right to the Host Server attribute.

  • Checks the link from the KMO to a server that is a back link. If the back link is for a different server, it ignores the KMO and removes it from its list.

  • Reads the private key and attempts to unwrap it.

Reverifies the links to the KMOs

This task reads the list of Server Certificate objects (or KMOs) that are linked to the SAS:Service object. It compares each KMO in this list to the list created in Checks the Server Certificates (KMOs). Using the checks from Checks the Server Certificates (KMOs), the task determines if there are any problems with the linked certificates and it unlinks them if the KMO is unusable. The task also determines if there are any unlinked KMOs that are usable by this server and it links them, if they exist.

Creates default certificates

This task determines if Server Self-Provisioning is enabled at the Organizational CA object. If Server Self-Provisioning is not enabled, this step is skipped. If Server Self-Provisioning is enabled, then the task calls the NPKICreateDefaultCertificates() API. This API creates or replaces the SSL CertificateDNS certificate if:

  • The certificate does not exist.

  • The certificate is not expired or about to expire.

  • The certificate’s subject name does not match the default IP and DNS address configured for the server.

NOTE:eDirectory 8.8 SP8 does not automatically create SSL CertificateIP. SSL Certificate DNS contains all the IPs listed in the Subject Alternative Name.

In addition, this API acquires all of the IP and DNS addresses configured for the server and it creates and/or replaces a certificate for each one, such as IP AG ip address or IP DNS dns name if:

  • The certificates do not exist.

  • The certificates are expired or about to expire.

Synchronizes certificates for external services

This task reads the configuration from the SAS:Service object. For each configured entry, the task acquires the certificates and private key from the specified KMO object. If the specified directory does not exist, the task attempts to create it. The task then unwraps the private key and converts it to the specified raw-key format. The task compares any existing private key and certificate files to the ones from the specified KMO. If the keys and certificates are not the same, the task makes a backup of the existing private key and certificate files and then it overwrites them with the private key and certificates. The keys are written out in a PEM format.

Exports the eDirectory CA certificate to the file system

The way in which this task is accomplished depends on the operating system you are running.

  • Windows: Checks if the SSCert.der and SSCert.pem files in the PKI working directory contain the same certificate as the Organization CA certificate in eDirectory. It attempts to replace the files if they are not the same.

    The default PKI working directory is c:\Novell\NDS\DIBFiles\CertServ\

  • Linux/AIX/Solaris (Not OES Linux): Checks if the SSCert.der and SSCert.pem files in the eDirectory data directory contain the same certificate as the Organizational CA certificate in eDirectory. It attempts to replace the files if they are not the same.

    The default eDirectory data directory is /var/opt/novell/eDirectory/data

  • OES Linux: Checks if the /etc/opt/novell/certs/SSCert.der and /etc/opt/novell/certs/SSCert.pem files contain the same certificate as the Organizational CA certificate in eDirectory. If the certificates are not the same, the task attempts to replace the files by adding the Organizational CA certificate to the /etc/ssl/certs directory and then running the c_rehash program. Before replacing the files, however, the task creates backups of any existing certificates.