3.5 Using eDirectory Certificates with External Applications

This option is not supported on OES 1.

Some customers use non-eDirectory applications that require X.509 certificates and keys (for example, Apache or OpenSSL). Most of these applications are configured out of the box with self-signed (no value) certificates, which are meant only to provide a temporary solution until the application can be configured with real X.509 certificates and keys.

Unfortunately, many administrators do not replace these self-signed certificates, often because it is too time-consuming or too difficult. In addition, X.509 certificates are designed to expire regularly, so replacing them on a regular basis is an ongoing administrative task.

The following sections describe the solution to this problem:

3.5.1 PKI Health Check Functionality

In response to customer requests to provide non-eDirectory applications with X.509 certificates, the PKI Health Check code within NetIQ Certificate Server now provides the capability to automatically export X.509 certificates and keys to the file system, enabling non-eDirectory applications to take advantage of eDirectory-minted certificates and eDirectory-managed certificates.

When the PKI Health Check runs, it automatically overwrites any existing certificates, including the certificates’ private keys. However, to ensure that no valid certificates and private keys are deleted, the PKI Health Check determines whether the existing certificates and keys are the same as those configured in eDirectory. If they are different than those configured in eDirectory, the PKI Health Check creates a backup of these files before overwriting them. This ensures that certificates that have been acquired from an external source (for example, VeriSign*) are not deleted.

After a configuration has been created for the server on the SAS:Service Object, keys and certificates associated with the specified server are automatically exported to the file system. If the keys and certificates are replaced or updated in eDirectory (for example, if the Server Certificate object is deleted and a new one is created with the same name), the new keys and certificates are automatically exported to the file system the next time PKI Health Check runs.

NOTE:The PKI Health code within NetIQ Certificate Server runs once every time NetIQ Certificate Server loads/reloads. You can use any of the following methods to reload the NetIQ Certificate Server:

  • Restart the server

  • Restart eDirectory

  • Unload and load PKI Server manually

  • Run an eDirectory repair (NDSRepair)

    NetIQ Certificate Server shuts down during the repair and reloads after the eDirectory repair is finished.

For more information on the PKI Health Check, see Section 3.10, PKI Health Check.

Before the PKI Health Check can automatically export X.509 certificates and keys to the file system, the SAS:Service Object must be configured. This is because the PKI Health Check reads the configuration on the SAS:Service Object. For information on how to configure the SAS:Service Object, see Section 3.5.2, Configuring the SAS:Service Object to Export eDirectory Certificates.

3.5.2 Configuring the SAS:Service Object to Export eDirectory Certificates

Before an eDirectory Server Certificate can be exported to the file system, a configuration must first be created for the server on the SAS:Service Object. This can be done either automatically or manually, depending on what eDirectory server you are using. Only OES 2 Linux servers can be automatically configured during installation to create this configuration; on all other eDirectory servers, you must manually create this configuration. The following sections further explain these options:

Manually Configuring the SAS:Service Object to Enable Use of eDirectory Certificates

If you are not using OES 2 as your eDirectory server, you must manually configure the SAS:Service Object in order to export eDirectory certificates. This configuration must specify the Server Certificate name. If multiple server certificates need to be exported, you can simply create multiple configurations. You can export the same certificate to a different file path, or you can export a different certificate to a different file path.

NOTE:Each configuration must use unique file paths in order to avoid file collisions. The Public key path and the Private key path must be unique and different from each other and from any other configuration.

To create a configuration on the SAS:Service object:

  1. In iManager, in the Roles and Tasks view, click NetIQ Certificate Access.

  2. Click SAS Service Object.

  3. On the SAS Service Object page, click the Browse icon.

  4. Browse to and select the SAS:Service object where you want to create the configuration.

  5. Click the SAS:Service object.

  6. Click New.

    The Server Certificate Synchronization window is displayed.

  7. In the Certificate field, browse for and select the certificate you want to export.

  8. In the Public key path field, specify the path where the application will find and use the certificate. For example: C:/novell/nds/servercert.pem.

  9. In the Private key path field, specify the path where the application will find and use the certificate’s private key. For example: C:/novell/nds/serverkey.pem.

  10. Select the key type that you are going to use. If you are running OpenSSL, select PKCS#8. If you are running Apache, select PKCS#1.

  11. Click OK.

    The configuration is created. The name, path, key path and key type are displayed.

To create another configuration, repeat Step 6 through Step 11.

If you are using a Linux server that is running OES 2 or later as your eDirectory server, then you can automatically configure the server to create a configuration on the SAS:Service Object. For more information on how to do this, see Automatically Configuring the SAS:Service Object to Enable Use of eDirectory Certificates (OES 2 Only).

Automatically Configuring the SAS:Service Object to Enable Use of eDirectory Certificates (OES 2 Only)

When installing OES 2 on Linux, the YaST installer provides a configuration screen that allows you to specify whether you want to automatically configure the server to export eDirectory Server Certificates to the file system, eliminating the need to manually configure the server through iManager. Ensure that you select this option.

Table 3-1 shows the differences between the different versions of OES and their ability to support eDirectory certificates.

Table 3-1 OES Versions and eDirectory Certificates

OES Version

Supports eDirectory Certificates

Additional Information

OES 1

No

OES 2

Yes

Only new server installations have the option to be automatically configured. Upgrades and post-installs do not have this option.

OES 2 SP1

Yes

The default is for all installations to have the option to be automatically configured.

NOTE:If use of eDirectory certificates is enabled while installing OES 2 (default), the install code creates a configuration for the SSL CertificateDNS object, and the certificates and keys are exported to the following files:

key file - /etc/ssl/servercerts/serverkey.pem

certificate file - /etc/ssl/servercerts/servercert.pem