Troubleshooting SSL Certificate Issues with the eDir-eDir Driver



I have seen an increasing number of customers who have issues with SSL certificates and the edir2edir driver. There can be several causes for this, but most of the time the resolution is the same. The certificate creation wizard within iManager can be fantastic, or it can fail for one reason or another (come on, we can't all be perfect.) This will very often be the end of the line for standard troubleshooting.


Simple but effective ...

I just wanted to share the the almost forgotten DirXML 1.1a documentation (back before the days of the wizard). It will guide you through the manual process that the certificate creation wizard performs in the background. I must mention that if you run into certificate problems on NetWare, the first step would be running PKIDiag. Use option 4 then 0 on both sides (how did we live before this tool?), which will often correct issues with expired certificates.

Running through the manual process will fix either the issue - and, like magic, the driver will start up and carry on working - or it will highlight a more significant issue with the CA. Either way, you will no longer be at a dead end and should have a better idea of where to head next.

The instructions for Configuring Secure Data Transfers using ConsoleOne can be found here:

One gotcha: if you give a new certificate a new name at creation, you will need to update the driver configuration to reflect the change. You can do this by modifing the Authentication ID section to reflect the new certificate name. It should be the same name you entered when you created the certificate, which is NOT the complete name of the KMO object.

The documentation defines it like this:

"The key pair name of a KMO is the part of the eDirectory object name that appears before the dash (-). The part of the object name that appears after the dash is the eDirectory server name to which the KMO belongs. When using the name of a KMO in the driver configuration, always use the key pair name. For example, if the name of the eDirectory object is Driver Cert - SRV1_TAO, the key pair name is Driver Cert."

I know I have not shared anything really new, but I hope this has been helpful and will help get things up and running sooner if you ever run into this problem.


How To-Best Practice
Comment List