Certificate Re-creation Script for OES2018, OES2015 and OES11

2 Likes

certificate-creation-4.1.zip

This script is not needed when using "ndsconfig upgrade" to create the certificates.  "ndsconfig upgrade" will create the needed certificate files on the server.

The Certificate Re-creation script recreates the certificates on OES2018, OES2015, and OES11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:


OES2018, OES2015, and OES11 are currently supported.

Script Process:

 

  1. Prechecks (Only executes when the -c switch is used).  Prechecks are done to verify if the current certificates are good.

     

  2. The following files are backed up with the date and time appended.
    /etc/ssl/servercerts/servercert.pem
    /etc/ssl/servercerts/serverkey.pem
    /var/lib/novell-lum/x.x.x.x.der
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later

     

  3. Creation of new Certificates
    /etc/ssl/servercerts/serverkey.pem
    /etc/ssl/servercerts/servercert.pem
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/SSCert.der //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later
    /etc/opt/novell/certs/SSCert.der //OES2 and later
    /var/lib/novell-lum/x.x.x.x.der

     

  4. Postchecks (Only executes when the -c switch is used).  Postchecks are done to verify if the new certificates are good.

     

  5. Reloads services (optional but recommended)
    owcimond (only in OES1 and OES2)
    sfcb (oes11 and later)
    nldap
    namcd
    apache2

     

Option 1 - Recreate Certificates with "ndsconfig upgrade":

 

  1. Delete current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Open a terminal as the root user and run "ndsconfig upgrade -j" (-j skips the health check). This will create new eDirectory certificates for this server.  If the CA does not exist, it will first create the CA with this server as the host.

     

  4. Restart services.
    1. LDAP
      • nldap -u
      • nldap -l
    2. Apache2
      • rcapache2 restart
    3. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Option 2 - Recreate Certificates with iManager, Export, and Run the Script:

 

  1. Delete the current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service Object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Create the Certificates in iManager.  Create default certificates with these steps or manually create the SSL CertificateDNS certificate with the desired settings.
    1. In iManager, got to NetIQ Certificate Server -> Create Default Certificates.
    2. Select the server for which to create the certificates.
    3. Make sure the IP address and DNS name are correct and click Next.
    4. Click Finish.

       

  4. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates
    2. Select the correct server
    3. Check the SSL CertificateDNS object
    4. Click Export.
    5. Select SSL CertificateDNS from the dropdown.
    6. Check "Export private key" and "Include all certificates in the certification path if available."
    7. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    8. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
    9. Copy the pfx file to the server.

       

  5. Run the Certificate Creation Script.
    1. Download certificate-creation-4.1.tbz
    2. Open a Terminal as the root user.
    3. Extract the script from the tarball.
      • tar –xjvf certificate-creation-4.1.tbz
    4. Make the script executable.
      • chmod 755 certificate-creation.sh
    5. Run the certificate-creation.sh script.
      • ./certificate-creation-4.1.sh -f /directory/fileName.pfx -l -r

       

  6. Restart services.
    1. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Fixes and Enhancements:

 

Version 4.1

  • servercert.pem now includes Trusted Certificate
  • Fixed the format of SSCert.pem

Version 4.0

  • Added support for OES2015 and OES2018.
  • Fixed a few false success conditions.

Version 3.1

  • The Pre and Post checks are now optional. It only executes when the -c switch is used.
  • The script no longer tries to restart owcimomd in OES11. owcimomd no longer is used in OES11.

Version 3.0

  • No longer displays the password when ldapsearch throws an error

Version 2.0

  • This script will now do pre and post checks to see if the certificates are good or bad
  • Color was also added for easier reading

Version 1.1

  • The script will now check if your are root
  • OES2 x86_64 is now supported
  • A relative path to the .pfx file can now be used.


Note: Using a –h will display other parameter options...

 

Labels:

Collateral
How To-Best Practice
Support Tip
Comment List
Anonymous
Related Discussions
Recommended