Environment
Novell eDirectory 8.8 for All Platforms
Novell iManager 2.7
Novell eDirectory 9.x for All Platforms
Novell iManager 3.x
Novell eDirectory 9.x for All Platforms
Novell iManager 3.x
Situation
Many customers have purchased a wildcard certificate for their
organization for use with many different servers, products, and
operating systems. Often, they are already using these
certificates for non-Novell services within their organization, and
would like to use the same wildcard certificate for their Novell
services also.
Resolution
When you receive your certificate from the Vendor, you will have
several files. One will be the server private key. If
you open this file with a text editor, you will see something
similar to the following:
-----BEGIN RSA PRIVATE KEY-----
o/1KusAd+1KqVZmhxD1ECkWSAwPRZxd6Xx4fuzoqcwjbBTOZcfXQi5tZBK+OeK1n
.
.
vVl+Gjj5DQv5GrKQ4vZ3OZvYKnHxP6My9tV8t8xM5pMULc90C0HDzA==
-----END RSA PRIVATE KEY-----
The file with these begin and end tags is the server private key file.
Other files provided will be the server certificate file, and any intermediate and root Certificate Authority files. These will look like this:
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgIkAhwFYuVdlS9r5T0XyUHdXvbwz2cWs2HjTK6bNf0yAgIT
.
.
-----END CERTIFICATE-----
To import an externally signed certificate into eDirectory 8.8 that was not originally generated from a CSR created within eDirectory, you must have the certificate in .PFX format. The typical files given you by the Certificate Vendor can be converted to PFX format using the OpenSSL tool. This tool is typically available by default on Linux based system, or Windows versions are available for Download on the internet. See below if you need details on OpenSSL availability.
OpenSSL is a command line only tool. If you are running in Windows 7, it must be run as Administrator. Command line format for the conversion is:
> openssl pkcs12 -export -inkey <yourServerPrivateKeyFile> -in <yourServerCertificateFile> -certfile<intermediateCAFilename> -certfile <rootCAFilename> -out <newCertifcateFile>.pfx
example:
> openssl pkcs12 -export -inkey server.key -in mycertificate.crt -certfile intermediateCA.crt -certfile rootCA.crt -out mycert.pfx
When you run this command, it will prompt you for a password to encrypt the server private key (twice for confirmation). Enter any password you like, but be sure to remember it, as you will need it during the eDirectory import process. If you have more than one intermediate CA file, just add as many -certfile parameters as needed. If you have the whole chain of CA certificates in one file, you only need one instance of the -certfile parameter.
To import the .pfx file into eDirectory, launch iManager 2.7. You need a relatively recent version (2008 or later) of the Certificate Server plugin loaded in iManager to have the proper task to import the certificate.
1. Open iManager and connect to the server you wish to host this certificate on, e.g. Srv1.
2. Under the Novell Certificate Access role, click the Server Certificates task. This will open a page showing all your current certificates.
3. In the blue bar at the top of the page the name of the server being accessed is shown. Verify this is where you want the certificate to be. If this isn't the right server, click the magnifying glass and browse to the server you want the certificate to be hosted on, then click the 'New' command.
4. In the dialog box that opens, specify a name for the certificate object. This is not the actual certificate subject name, but the name of the object in eDirectory that will hold the certificate data. Click the 'Import' radio button, then click Next.
5. A new dialog box opens to specify the file to import. Click the browse button and browse to where you saved the .pfx file from above. Enter the certificate password (used during the creation of the pfx file).
6. A summary screen of the file to be imported is shown. Just click next here.
7. Another summary screen, click finish. If all is validated, your certificate will be imported and stored on the object name you gave.
8. Click Close, and the new certificate will show up in the list of certificates hosted on this server. Click the check box next to your newly created certificate, then click verify to ensure it is working properly.
Your wildcard certificate is now imported into eDirectory, and can be used like any other certificate in eDirectory. E.g., you can set your NetWare Apache module to use this new certificate by changing the certificate name listed in sys:\apache2\conf\httpd.conf on the secureListen directive.
-----BEGIN RSA PRIVATE KEY-----
o/1KusAd+1KqVZmhxD1ECkWSAwPRZxd6Xx4fuzoqcwjbBTOZcfXQi5tZBK+OeK1n
.
.
vVl+Gjj5DQv5GrKQ4vZ3OZvYKnHxP6My9tV8t8xM5pMULc90C0HDzA==
-----END RSA PRIVATE KEY-----
The file with these begin and end tags is the server private key file.
Other files provided will be the server certificate file, and any intermediate and root Certificate Authority files. These will look like this:
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgIkAhwFYuVdlS9r5T0XyUHdXvbwz2cWs2HjTK6bNf0yAgIT
.
.
-----END CERTIFICATE-----
To import an externally signed certificate into eDirectory 8.8 that was not originally generated from a CSR created within eDirectory, you must have the certificate in .PFX format. The typical files given you by the Certificate Vendor can be converted to PFX format using the OpenSSL tool. This tool is typically available by default on Linux based system, or Windows versions are available for Download on the internet. See below if you need details on OpenSSL availability.
OpenSSL is a command line only tool. If you are running in Windows 7, it must be run as Administrator. Command line format for the conversion is:
> openssl pkcs12 -export -inkey <yourServerPrivateKeyFile> -in <yourServerCertificateFile> -certfile<intermediateCAFilename> -certfile <rootCAFilename> -out <newCertifcateFile>.pfx
example:
> openssl pkcs12 -export -inkey server.key -in mycertificate.crt -certfile intermediateCA.crt -certfile rootCA.crt -out mycert.pfx
When you run this command, it will prompt you for a password to encrypt the server private key (twice for confirmation). Enter any password you like, but be sure to remember it, as you will need it during the eDirectory import process. If you have more than one intermediate CA file, just add as many -certfile parameters as needed. If you have the whole chain of CA certificates in one file, you only need one instance of the -certfile parameter.
To import the .pfx file into eDirectory, launch iManager 2.7. You need a relatively recent version (2008 or later) of the Certificate Server plugin loaded in iManager to have the proper task to import the certificate.
1. Open iManager and connect to the server you wish to host this certificate on, e.g. Srv1.
2. Under the Novell Certificate Access role, click the Server Certificates task. This will open a page showing all your current certificates.
3. In the blue bar at the top of the page the name of the server being accessed is shown. Verify this is where you want the certificate to be. If this isn't the right server, click the magnifying glass and browse to the server you want the certificate to be hosted on, then click the 'New' command.
4. In the dialog box that opens, specify a name for the certificate object. This is not the actual certificate subject name, but the name of the object in eDirectory that will hold the certificate data. Click the 'Import' radio button, then click Next.
5. A new dialog box opens to specify the file to import. Click the browse button and browse to where you saved the .pfx file from above. Enter the certificate password (used during the creation of the pfx file).
6. A summary screen of the file to be imported is shown. Just click next here.
7. Another summary screen, click finish. If all is validated, your certificate will be imported and stored on the object name you gave.
8. Click Close, and the new certificate will show up in the list of certificates hosted on this server. Click the check box next to your newly created certificate, then click verify to ensure it is working properly.
Your wildcard certificate is now imported into eDirectory, and can be used like any other certificate in eDirectory. E.g., you can set your NetWare Apache module to use this new certificate by changing the certificate name listed in sys:\apache2\conf\httpd.conf on the secureListen directive.
Additional Information
If you encounter error -1253 when attempting to import the .pfx file in iManager, an alternate method of generating the .pfx file may prove successful. Use openssl to combine the intermediate and root certificates into one .crt file. Then, modify the example command to use the -certfile argument only once, referencing the combined .crt file as follows:
> openssl pkcs12 -export -inkey server.key -in mycertificate.crt -certfile intermediate_and_root.crt -out mycert.pfx
http://gnuwin32.sourceforge.net/packages/openssl.htm or
http://www.slproweb.com/products/Win32OpenSSL.html
This will also require Visual C++ 2008 Redistributables package downloadable from MicroSoft at
http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displayLang=en