Related Tips & Info

Certificate Re-creation Script for OES2018, OES2015 and OES11

MigrationDeletedUser
2 Likes

certificate-creation-4.1.zip

This script is not needed when using "ndsconfig upgrade" to create the certificates.  "ndsconfig upgrade" will create the needed certificate files on the server.

The Certificate Re-creation script recreates the certificates on OES2018, OES2015, and OES11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:


OES2018, OES2015, and OES11 are currently supported.

Script Process:

 

  1. Prechecks (Only executes when the -c switch is used).  Prechecks are done to verify if the current certificates are good.

     

  2. The following files are backed up with the date and time appended.
    /etc/ssl/servercerts/servercert.pem
    /etc/ssl/servercerts/serverkey.pem
    /var/lib/novell-lum/x.x.x.x.der
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later

     

  3. Creation of new Certificates
    /etc/ssl/servercerts/serverkey.pem
    /etc/ssl/servercerts/servercert.pem
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/SSCert.der //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later
    /etc/opt/novell/certs/SSCert.der //OES2 and later
    /var/lib/novell-lum/x.x.x.x.der

     

  4. Postchecks (Only executes when the -c switch is used).  Postchecks are done to verify if the new certificates are good.

     

  5. Reloads services (optional but recommended)
    owcimond (only in OES1 and OES2)
    sfcb (oes11 and later)
    nldap
    namcd
    apache2

     

Option 1 - Recreate Certificates with "ndsconfig upgrade":

 

  1. Delete current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Open a terminal as the root user and run "ndsconfig upgrade -j" (-j skips the health check). This will create new eDirectory certificates for this server.  If the CA does not exist, it will first create the CA with this server as the host.

     

  4. Restart services.
    1. LDAP
      • nldap -u
      • nldap -l
    2. Apache2
      • rcapache2 restart
    3. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Option 2 - Recreate Certificates with iManager, Export, and Run the Script:

 

  1. Delete the current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service Object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Create the Certificates in iManager.  Create default certificates with these steps or manually create the SSL CertificateDNS certificate with the desired settings.
    1. In iManager, got to NetIQ Certificate Server -> Create Default Certificates.
    2. Select the server for which to create the certificates.
    3. Make sure the IP address and DNS name are correct and click Next.
    4. Click Finish.

       

  4. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates
    2. Select the correct server
    3. Check the SSL CertificateDNS object
    4. Click Export.
    5. Select SSL CertificateDNS from the dropdown.
    6. Check "Export private key" and "Include all certificates in the certification path if available."
    7. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    8. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
    9. Copy the pfx file to the server.

       

  5. Run the Certificate Creation Script.
    1. Download certificate-creation-4.1.tbz
    2. Open a Terminal as the root user.
    3. Extract the script from the tarball.
      • tar –xjvf certificate-creation-4.1.tbz
    4. Make the script executable.
      • chmod 755 certificate-creation.sh
    5. Run the certificate-creation.sh script.
      • ./certificate-creation-4.1.sh -f /directory/fileName.pfx -l -r

       

  6. Restart services.
    1. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Fixes and Enhancements:

 

Version 4.1

  • servercert.pem now includes Trusted Certificate
  • Fixed the format of SSCert.pem

Version 4.0

  • Added support for OES2015 and OES2018.
  • Fixed a few false success conditions.

Version 3.1

  • The Pre and Post checks are now optional. It only executes when the -c switch is used.
  • The script no longer tries to restart owcimomd in OES11. owcimomd no longer is used in OES11.

Version 3.0

  • No longer displays the password when ldapsearch throws an error

Version 2.0

  • This script will now do pre and post checks to see if the certificates are good or bad
  • Color was also added for easier reading

Version 1.1

  • The script will now check if your are root
  • OES2 x86_64 is now supported
  • A relative path to the .pfx file can now be used.


Note: Using a –h will display other parameter options...

 

Labels:

Collateral
How To-Best Practice
Support Tip
Comment List

  • The script is really goog and helpful, especially when triying with 3rdparty-certs. Is there a possibility the renew/or delete und create the certobject with a new cert over commandline instead of imanager?

    Thanks

  • THANKS! This is gold, I just used the option "Recreate Certificates with "ndsconfig upgrade" very handy. Much quicker than doing via iManager.

  • Hello,

    I used option 2 but that does not re-create the SAS service object.  Is the SAS service object required?

     

    Thanks,

    Andrew Shearer

  • Great script, used this many times. Needs to be updated for OES2015 though...

    This server in not SUSE Linux Enterpriser Server 9 or 10

    #=========== Results Summary ====================================#
    All creations of the certificates SUCCEEDED


    ...but of course nothing actually got updated.
  • Does eDirectory Certificate Server self-provisioning eliminate the need for this script? It seems that this script does a lot more than just have the CA re-key itself. I've had self-provisioning on for some time and I don't see how it corrects all the other eDirectory servers and services that rely on these certificates?

    Can someone set me straight. Thanks.
  • Can you run this script (this process) against the server that has your CA? How about running it against the server running iManager?
  • in reply to rjneilly
    Nevermind. Reread the script and realized that -l and -r are mandatory, therefore nldap will be restarted by the -l option. Help text is misleading in that it states that the -r option will cause a reload of nldap which it doesn't.

    Cheers,

    Ron
  • Hi,

    Thanks for the script. There are two errors with respect to the -r option to reload services.

    1. the help text has a typo, it says 'nlap'. It should say 'nldap'.

    2. the code section for reloadServices does not contain anything to reload the nldap service. It should contain something like:


    echo 'Restarting LDAP service..................................#'
    nldap -u
    nldap -l


    Not sure how this would relate to using the -l option which recreates the LUM cert and restarts the nldap service. If one used both options then nldap would be restarted twice I guess....

    Cheers,

    Ron
  • in reply to MigrationDeletedUser
    I wholeheartedly agree!
  • I would like to see this script moved to an official repo and become officially supported. It is basically a must have on OES servers.
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.