Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
9555269 Absent Member.
Absent Member.
3255 views

WebAccess with wildcard cert

Can someone tell me how to use a certificate already minted with WebAccess? All the documentation I see goes through generating a CSR and using that to mint a new certificate. The issue is that our wildcard certificate was minted a year ago. My understanding is that I can just use that certificate with Apache / Tomcat as is, but I can't figure out how.
Labels (2)
0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: WebAccess with wildcard cert

Is this on OES2 Linux, SLES 10, or NetWare?

I believe with NetWare and OES2 Linux, the apache process will use the eDir certs, in which case you can simply import your wildcard cert (probably a pfx file) into eDir and then edit the http.conf file to use that certificate.

Not sure if Tomcat needs to be adjusted if you're just trying to "sslize" the webaccess interface.
0 Likes
EUWID_Netmaster Absent Member.
Absent Member.

Re: WebAccess with wildcard cert

if it is on netware, I had the same problem a couple of weeks ago. And I
did not found a way to import the cert into eDir without creating the
csr already in eDir.

Ullrich



Am 20.05.2010 15:46, schrieb kjhurni:
>
> Is this on OES2 Linux, SLES 10, or NetWare?
>
> I believe with NetWare and OES2 Linux, the apache process will use the
> eDir certs, in which case you can simply import your wildcard cert
> (probably a pfx file) into eDir and then edit the http.conf file to use
> that certificate.
>
> Not sure if Tomcat needs to be adjusted if you're just trying to
> "sslize" the webaccess interface.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: WebAccess with wildcard cert

IF you have a backed up wildcard cert, it will usually be in a .pfx file format (I think).

To import that (it's really the only way to "move" a cert around), simply go into consoleone, select the container you're going to put the cert into and then select: New -> NDSPKI: Key Material

Select the server you wish to assign to said certificate and select the third box that says Import.

Browse for the pfx file and input the password for said file and away you go.

Now the certificate is held in eDir. Let's say you called it: wildcard

Then edit your httpd.conf file and find the line for the ssl stuff and replace the certificate name in there with the one you just created.

IF you do not already have the wildcard cert, then yes, you have to generate a CSR and ship along to Verisign, etc. and get the signed cert back, etc.
0 Likes
EUWID_Netmaster Absent Member.
Absent Member.

Re: WebAccess with wildcard cert

Thanks. I will keep this in mind for next time.

Ullrich


Am 20.05.2010 20:46, schrieb kjhurni:
>
> IF you have a backed up wildcard cert, it will usually be in a .pfx file
> format (I think).
>
> To import that (it's really the only way to "move" a cert around),
> simply go into consoleone, select the container you're going to put the
> cert into and then select: New -> NDSPKI: Key Material
>
> Select the server you wish to assign to said certificate and select the
> third box that says Import.
>
> Browse for the pfx file and input the password for said file and away
> you go.
>
> Now the certificate is held in eDir. Let's say you called it:
> wildcard
>
> Then edit your httpd.conf file and find the line for the ssl stuff and
> replace the certificate name in there with the one you just created.
>
> IF you do not already have the wildcard cert, then yes, you have to
> generate a CSR and ship along to Verisign, etc. and get the signed cert
> back, etc.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: WebAccess with wildcard cert

In article <kjhurni.4b9jar@no-mx.forums.novell.com>, Kjhurni wrote:
> I believe with NetWare and OES2 Linux, the apache process will use the
> eDir certs,
>

I've lived that process on NetWare without any real problems, but could
someone please point me how to do that with OES2 Linux as all references
I've found to date lead to /dev/null

Am trying to figure it out and will report back with steps taken if
nobody beats me to it. A lack of follow up just means I've stepped back
and am doing the OpenSSL new cert route to feed the
/etc/apache2/vhosts.d/vhost-ssl.conf needs.


Andy Konecny
KonecnyConsulting.ca in Toronto
Slowly The Penguins Are Stealing My Sanity
------------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037


___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Knowledge Partner
Knowledge Partner

Re: WebAccess with wildcard cert

In article <VA.000001eb.0143d917@no-mx.forums.novell.com>, Andy Konecny
wrote:
> I've lived that process on NetWare without any real problems, but could
> someone please point me how to do that with OES2 Linux as all references
> I've found to date lead to /dev/null


The closest I could find is how to export an eDir based key to make it
available to apache. Direct consumption of an eDir cert by OES2Linux
apache still appears to be a myth like the Lock Ness monster. Hope that my
write up below helps someone.
--------------------------------------------------

How to export the eDirectory certificate and import it into OpenSSL for
apache uses such as GroupWise WebAccess.

Novell OES2 for Linux

Apache 2

Intended for when migrating your GroupWise WebAccess to Linux
Export the (possibly externally signed) eDirectory certificate and import
it into OpenSSL. Configure Apache to use the imported Cert.


1. Open ConsoleOne and select the "Key Material Object" (KMO) that you've
been using (on NetWare).

2. Right click on this object and select PROPERTIES the select the TAB
labeled "Certificates" and then select the EXPORT button.

3. When prompted on whether to export the private key select "YES".

4. Enter the filename and location, for example c:\mail.pfx.

5. You will be required to input a password to protect the private key.
Make sure to note the password used in this step, it will be required
during the import process into OpenSSL.

6. Copy the *.pfx file to your linux server. From the linux server type
OPENSSL at the console then <enter>. The OpenSSL application is now running
and the console command will look like this:

OpenSSL>

7. Extract the private key: "pkcs12 -in mail.pfx -nocerts -out mail.pem"
Enter the password chosen during the export and then choose a passphrase as
well.

8. Extract the public key: "pkcs12 -in mail.pfx -clcerts -nokeys -out
mcert.pem"

9. Remove the passphrase from the private key: "rsa -in mail.pem -out
mkey.pem"

10. type exit to leave OpenSSL

11. Copy these to the default Apache certificate directory:
/etc/ssl/servercerts

12. The final step is to point Apache config file to the new certificate
files. Edit the /etc/apache2/vhosts.d/vhost-ssl.conf file and change the
SSLCertificateFile and SSLCertificateKeyFile directives to point to the new
certs. Here is what they should look like:

SSLCertificateFile /etc/ssl/servercerts/mcert.pem

SSLCertificateKeyFile /etc/ssl/servercerts/mkey.pem

Now restart apache with "rcapache2 restart"


derived from TID 10098796
http://support.novell.com/docs/Tids/Solutions/10098796.html



Andy Konecny
KonecnyConsulting.ca in Toronto
Slowly The Penguins Are Stealing My Sanity
------------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037


___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.