Every certificate has a validity period. When that validity period expires, the certificate is no longer considered an acceptable or usable credential. You can renew the certificate with either the same key set you used before or with a new key set.
Before you renew a certificate, you need to know the following information:
The issuing certification authority.
(Optional) If you want a new public key and private key pair for the certificate, the cryptographic service provider (CSP) that should be used to generate the key pair.
You might want to return a certificate to its original state. To do this, you remove the following attributes from the Key Material Object (KMO):
? NDSPKI:Certificate Chain
? NDSPKI:Key File
?KDSPKI:Public Key Certificate
Open the iChain GUI administration utility.
Back up the certificates you want to renew.
Assign a different name to the certificates in case you need to restore them.
Restore the certificate you backed up.
Rename the pki.jar file to pki.org in the 1.3.X ConsoleOne® snapin directory.
Log in to the ICS_Tree on the iChain server using user ichainadmin.ics, with password novell.
Open ConsoleOne and find the corresponding KMO in the .ICS container in the ICS_Tree.
Delete the following attributes under the Other tab on the KMO:
NDSPKI:Certificate Chain
NDSPKI:Key File
NDSPKI:Public Key Certificate
Close ConsoleOne and rename the pki.org file back to pki.jar.
The certificate should be ready to store the renewal certificate using ConsoleOne. Before you import the certificate, convert the renewal certificate to .p7b format by selecting the pb7 option and importing the certificate. For more instructions on converting the renewal certificate, see TID 10073709.
NOTE:Do not attempt to use the iChain Administration GUI to store the updated response file because the GUI process might fail.
If any errors occur during the storage process, check the following:
Ensure that the certificate has an intermediate CA, convert the response file to .p7b format before you store the renewed certificate with ConsoleOne. For instructions on converting the response file, see TID 10073709.
Ensure that you have the latest certificate server snapins for ConsoleOne.
Install the .p7b certificate into Internet Explorer, then view it to make sure there are no problems in the certificate chain.
Ensure that the time on the iChain server is accurate and that there are no timesync errors in the iChain/NetWare debug consoles. Make sure that your timezone is set correctly. Compare the validity period of your new certificate to the time and date on iChain.
Remove the ndspkiAdditionalRoots attributes and their associated values on the KMO.
For more information about certificates and renewing certificates that have been issued by an external certificate authority, see How to Renew a Novell Certificate that Was Issued by an External CA.