FBezemer Absent Member.
Absent Member.
1023 views

Unable to succesfully replace CA

I have a small ZCM 10.3.2 zone (one server)
During the install (about a year ago) I used the eDirectory CA to sign the CSR.
Everything was working fine.

Our CA was going to expire at the end of the year so I reacreated the CA.
Now I want to use the new CA for ZCM again.

I followed the steps from the documentation here:
Novell Documentation

Everything seemed OK. New certificate is being used when I open ZCC.
When I try to get my adaptive agent to reregister itslef I run into issues.
I get error "sslpolicyerrors.remotecertificatechainerrors" in the agent debug log and the message "Could not estabish trust relationship for the SSL/TLS secure channel" error if I do a zac reg.
I found TID 7002409 on the issue, but doen not help in my case.

So I went back and recreated the certificates using the internal CA, no issues after that. Everything seems to work fine then.

But I do want to use my own signed certificate if possible.

Any ideas?
Labels (2)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Unable to succesfully replace CA

.... have you updated the certificate in ZCC?
Could you check in ZCC
"Configuration" =>
"User Sources" => klick on TREE
"Authentication Servers" => click on your OES-Server under "Connection"
=> please check your certificate here




Am 30.05.2011 05:06, schrieb FBezemer:
>
> I have a small ZCM 10.3.2 zone (one server)
> During the install (about a year ago) I used the eDirectory CA to sign
> the CSR.
> Everything was working fine.
>
> Our CA was going to expire at the end of the year so I reacreated the
> CA.
> Now I want to use the new CA for ZCM again.
>
> I followed the steps from the documentation here:
> 'Novell Documentation'
> (http://www.novell.com/documentation/zcm10/zcm10_system_admin/?page=/documentation/zcm10/zcm10_system_admin/data/boihv3o.html)
>
> Everything seemed OK. New certificate is being used when I open ZCC.
> When I try to get my adaptive agent to reregister itslef I run into
> issues.
> I get error "sslpolicyerrors.remotecertificatechainerrors" in the agent
> debug log and the message "Could not estabish trust relationship for the
> SSL/TLS secure channel" error if I do a zac reg.
> I found TID 7002409 on the issue, but doen not help in my case.
>
> So I went back and recreated the certificates using the internal CA, no
> issues after that. Everything seems to work fine then.
>
> But I do want to use my own signed certificate if possible.
>
> Any ideas?
>
>


0 Likes
FBezemer Absent Member.
Absent Member.

Re: Unable to succesfully replace CA

Hi,

No I didn't check that.
But I don't see the relevance, my question is about the certificates used within ZCM, not the LDAP certificate to the usersource.
Even if I don't have a usersource I would get the same issue (I assume).
Thanks for your reply.




Bernhard Muehlbauer;2110196 wrote:
.... have you updated the certificate in ZCC?
Could you check in ZCC
"Configuration" =>
"User Sources" => klick on TREE
"Authentication Servers" => click on your OES-Server under "Connection"
=> please check your certificate here




Am 30.05.2011 05:06, schrieb FBezemer:
>
> I have a small ZCM 10.3.2 zone (one server)
> During the install (about a year ago) I used the eDirectory CA to sign
> the CSR.
> Everything was working fine.
>
> Our CA was going to expire at the end of the year so I reacreated the
> CA.
> Now I want to use the new CA for ZCM again.
>
> I followed the steps from the documentation here:
> 'Novell Documentation'
> (Novell Documentation)
>
> Everything seemed OK. New certificate is being used when I open ZCC.
> When I try to get my adaptive agent to reregister itslef I run into
> issues.
> I get error "sslpolicyerrors.remotecertificatechainerrors" in the agent
> debug log and the message "Could not estabish trust relationship for the
> SSL/TLS secure channel" error if I do a zac reg.
> I found TID 7002409 on the issue, but doen not help in my case.
>
> So I went back and recreated the certificates using the internal CA, no
> issues after that. Everything seems to work fine then.
>
> But I do want to use my own signed certificate if possible.
>
> Any ideas?
>
>
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.