Highlighted
Absent Member.
Absent Member.
1050 views

How to change the certificat CA ?

Hello,

My certificate CA will be expired in few days. I've create a new CA and I use it to make LDAPS connections.

What have I to change in the Data synchronizer System to accept this new CA. (LDAPS access)

Thx

Olivier
Labels (1)
0 Likes
9 Replies
Highlighted
Honored Contributor.
Honored Contributor.

Hi,

A few questions ....

Is this a commercial certificate?
Is the name of you certificate "mobility.pem"

The certificate(s) are stored in /var/lib/datasync/device/mobility.pem (this is for the phones)
and a copy of mobility.pem called server.pem is stored in /var/lib/datasync/webadmin (this is for web access to the datasync server)

Post some answers and I will try to guide you thru the process .....
0 Likes
Highlighted
Absent Member.
Absent Member.

As written above, the certificate is found in two places:

/var/lib/datasync/webadmin/server.pem
/var/lib/datasync/device/mobility.pem

For the format of the PEM:

If the certificate chain of your certificate is:
CA root
\ CA intermediate
\\ Certificate

then the PEM should look like:

Private key of your own certificate (text, including ---BEGIN RSA PRIVATE KEY--- and ---END RSA PRIVATE KEY---)
Public key of your own certificate (text, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---)
Public key of the first intermediate certificate, if present (text, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---)
[... Public key of the next intermediate certificate, if present..., repeat until all intermediate certificates are processed in order...]
Public key of the root certificate (text, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---)

So in the end your PEM should look something like this

-----BEGIN RSA PRIVATE KEY-----
encrypted text
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
encrypted text
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted text
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted text
-----END CERTIFICATE-----
[.....]

I've found out that the order of the CA certificates is significant, if you change the order then Datasync won't work.
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

You can use SSL Digital Certificate Authority - Encryption & Authentication or sslshopper.com to test the chain of certificates that make up mobility.pem
0 Likes
Highlighted
Absent Member.
Absent Member.

Hi guys,

Thank you for your comments. I appreciate.
I don't speak of the client certificates that you find in this path : /var/lib/datasync/webadmin/server.pem and /var/lib/datasync/device/mobility.pem
I've recreate a self certificate that I use to communicate to my LDAP servers.

Today I've found the solution :
I've copied my file certificate (pem) on my server in /etc/ssl/certs and next I've make a symbolic link in this directory with this commands :
HASH=`openssl x509 -hash -noout -in cert-file.pem"`.0
ln -s cert-file.pem $HASH

Thank you
0 Likes
Highlighted
Visitor.

when you update the certificate - how do the mobile devices handle the update. Will they be prompted to download a new certificate, or since connected already just continue working...

Please advise!

Thx!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi,

I updated my certificate a few months ago. It is a Thawte certificate. My users saw no difference as the devices trusted the certificate chain. The only time a user should be prompted for intervention with a certificate, as far as I'm aware, is if the certificate is not trusted for some or other reason.

Hope that helps.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Visitor.

Thanks that does help!

Do you recommend any order to update or can it be updated on the fly?

Christa
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi Christa,

For what it's worth, I use the same certificate chain for both my device connections and my web admin console.

Once you have your certificate and have created the certificate chain (it's mentioned above in this thread if I recall correctly) then it's as simple as the following:

For the Device Connection Certificate... change to /var/lib/datasync/device on your Mobility server.
Backup the existing mobility.pem file.
Copy the mobility.pem file that you have created with your new certificate chain into the above mentioned path.
Restart the datasync service: rcdatasync restart

For the Web Admin Console Certificate.... change to /var/lib/datasync/webadmin on your Mobility server.
Backup the existing server.pem file
Copy the mobility.pem file that you created earlier into this directory and call it server.pem.
Restart the Web Admin service: rcdatasync-webadmin restart

I did both at the same time, during off-peak hours just for good measure.

Let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi,

For what it's worth, there is a TID on this: https://www.novell.com/support/kb/doc.php?id=7006904

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.