Certificate Re-creation Script for OES2018, OES2015 and OES11

Certificate Re-creation Script for OES2018, OES2015 and OES11

This script is not needed when using "ndsconfig upgrade" to create the certificates.  "ndsconfig upgrade" will create the needed certificate files on the server.

The Certificate Re-creation script recreates the certificates on OES2018, OES2015, and OES11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:


OES2018, OES2015, and OES11 are currently supported.

Script Process:

 

  1. Prechecks (Only executes when the -c switch is used).  Prechecks are done to verify if the current certificates are good.

     

  2. The following files are backed up with the date and time appended.
    /etc/ssl/servercerts/servercert.pem
    /etc/ssl/servercerts/serverkey.pem
    /var/lib/novell-lum/x.x.x.x.der
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later

     

  3. Creation of new Certificates
    /etc/ssl/servercerts/serverkey.pem
    /etc/ssl/servercerts/servercert.pem
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/SSCert.der //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later
    /etc/opt/novell/certs/SSCert.der //OES2 and later
    /var/lib/novell-lum/x.x.x.x.der

     

  4. Postchecks (Only executes when the -c switch is used).  Postchecks are done to verify if the new certificates are good.

     

  5. Reloads services (optional but recommended)
    owcimond (only in OES1 and OES2)
    sfcb (oes11 and later)
    nldap
    namcd
    apache2

     

Option 1 - Recreate Certificates with "ndsconfig upgrade":

 

  1. Delete current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Open a terminal as the root user and run "ndsconfig upgrade -j" (-j skips the health check). This will create new eDirectory certificates for this server.  If the CA does not exist, it will first create the CA with this server as the host.

     

  4. Restart services.
    1. LDAP
      • nldap -u
      • nldap -l
    2. Apache2
      • rcapache2 restart
    3. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Option 2 - Recreate Certificates with iManager, Export, and Run the Script:


  1. Delete the current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service Object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Create the Certificates in iManager.  Create default certificates with these steps or manually create the SSL CertificateDNS certificate with the desired settings.
    1. In iManager, got to NetIQ Certificate Server -> Create Default Certificates.
    2. Select the server for which to create the certificates.
    3. Make sure the IP address and DNS name are correct and click Next.
    4. Click Finish.

       

  4. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates
    2. Select the correct server
    3. Check the SSL CertificateDNS object
    4. Click Export.
    5. Select SSL CertificateDNS from the dropdown.
    6. Check "Export private key" and "Include all certificates in the certification path if available."
    7. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    8. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
    9. Copy the pfx file to the server.

       

  5. Run the Certificate Creation Script.
    1. Download certificate-creation-4.1.tbz
    2. Open a Terminal as the root user.
    3. Extract the script from the tarball.
      • tar –xjvf certificate-creation-4.1.tbz
    4. Make the script executable.
      • chmod 755 certificate-creation.sh
    5. Run the certificate-creation.sh script.
      • ./certificate-creation-4.1.sh -f /directory/fileName.pfx -l -r

       

  6. Restart services.
    1. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Fixes and Enhancements:


Version 4.1

  • servercert.pem now includes Trusted Certificate
  • Fixed the format of SSCert.pem

Version 4.0

  • Added support for OES2015 and OES2018.
  • Fixed a few false success conditions.

Version 3.1

  • The Pre and Post checks are now optional. It only executes when the -c switch is used.
  • The script no longer tries to restart owcimomd in OES11. owcimomd no longer is used in OES11.

Version 3.0

  • No longer displays the password when ldapsearch throws an error

Version 2.0

  • This script will now do pre and post checks to see if the certificates are good or bad
  • Color was also added for easier reading

Version 1.1

  • The script will now check if your are root
  • OES2 x86_64 is now supported
  • A relative path to the .pfx file can now be used.


Note: Using a –h will display other parameter options...

 

Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Thanks VM.

Now if only there was a way to get the .pfx out of eDir using ldap or some other command line tool. then we wouldn't need iManager. We'd need the eDir credentials and a temporary password could be autogenerated to protect the pfx, and when finished, the pfx could be deleted. Could make it safer all round. !!!

Challenge anyone ?

P
Ran into problems when migrating to a virtual system. This script was very helpful in restoring all the certificates. However, I ran into two problems:

1. Although there appeared to be certificates for the server in eDirectory, editing the certificates in iManager drew a blank. I had to use TID 7001013 to re-create the certificates for the server in eDirectory.
http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=7001013

2. The script does not update the certificate store for Tomcat (/etc/opt/novell/tomcat4/cacerts. Had to import these manually using TID 3734475 as a guide.
http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=3734475

These are not complaints; just additional info if someone runs into the same issues.

Thanks putting this together.
Thank you for the new information. I will look at possible ways of trying to script those suggestions into a newer version.
If I knew of a way to do this, I would be happy to script it. Currently, I am not aware of a way.
Hi, is this procedure still needed, or should I just use iManager - Novell Certificate Server - Create/Repair Default Certificates and then restart the ndsd | use the "namconfig -k" to use the new certificates?
I can verify this - using iManager from another server I ran the "Create Default Certificates" task and marked the option to replace the existing certificates (mine were expired). I then ran "namconfig -k", rebooted the server, and everything was working fine again. For reference, I was running iManager from a NW6.5 server, and the server I replaced the certificates on was OES1/SLES9.
I added :


cp /etc/ssl/servercerts/servercert.pem /etc/opt/novell/httpstkd/server.pem
cp /etc/ssl/servercerts/serverkey.pem /etc/opt/novell/httpstkd/server.key
rcnovell-httpstkd restart



just to take it a step further

P
Original servercert.pem:
-----BEGIN CERTIFICATE-----
Bla-bla-bla...
-----END CERTIFICATE-----
-----BEGIN TRUSTED CERTIFICATE-----
Bla-bla-bla...
-----END TRUSTED CERTIFICATE-----

Recreated servercert.pem:
-----BEGIN CERTIFICATE-----
Bla-bla-bla...
-----END CERTIFICATE-----

Execute:
openssl verify servercert.pem
...
error 20 at 0 depth lookup:unable to get local issuer certificate
Interesting; I wonder if this could be used to get everything back up to snuff after changing the hostname and/or IP address of a server?

Well, off to the lab....
You could use VPN for that.
If you use OES 2 Linux, the serverkey and servercert is the symoblic to the
correct place
Just tried this script for the first time, and it worked very well except....

It runs namconfig -k before it does the nldap refresh, which means that it re-downloads the expired certificate if NAM is pointing at the local eDirectory LDAP.

Running namconfig -k and then namconfig cache_refresh after the script finishes sorts that though.

The new 2.0 version now incorporates your suggestions.
Also need to fix /var/opt/novell/tomcat5/conf/cacerts, else iManager will no longer be able to manage things like iPrint and NetStorage and who knows what else....

...is the fact that your typical OES server has multiple processes that are all over the map when it comes to the utilization of certificates, and trying to all of get them back in sync after a major event makes herding cats look easy.

I talked to Glen Davis about this last BrainShare, told him we needed to get all these critters to use the same watering hole when it came to certificates. Really; it's past-due that this got fixed.
😞
Many thanks for this script.

It should definitively be implemented in OES releases ...
It is so annoying to have to check for certificates validity and track down which got really updated on the system ...
Big fan of this script! It works wonders & saves quite a bit of time. Speaking of saving time... Any way during this process to set the SSL cert for more than 2 years? I know, set myself a calendar reminder for a month before the certs expire & redo them then, but wouldn't it be much nicer to do that every 3 or more years instead of 2?

Thanks!
- Manager - Novell Certificate Server - Create/Repair Default Certificates worked just fine to fix the server certificates

- To fix the Tomcat5 certificate, you can export the same SSL CertificateDNS in a .der format by deselecting the option to export the Private Certificate. The .der is an X.509 Certificate that is used by the default Tomcat cacerts file. You can import the certificate with the following command:
keytool -import -alias -file cert.der -keystore /var/opt/novell/tomcat5/conf/cacerts -storepass changeit

Then restart Tomcat:
/etc/init.d/novell-tomcat5 stop
/etc/init.d/novell-tomcat5 start

- I still had issues with managing iPrint objects, so the final step was to follow http://www.novell.com/support/kb/doc.php?id=7001666 and remove the following files:
rm /var/opt/novell/tomcat5/webapps/nps/portal/modules/iPrintX/certstore/*
I found this script that seems to take care of Tomcat and Apache using the exported cert.pfx file.

http://forums.novell.com/novell/novell-product-discussion-forums/open-enterprise-server/oes-linux/oes-l-linux-web-services/126836-tomcat-cacert-renewal.html

Could this be merged into the master certificates script to take care of this too? I have an OES11 server that everything else is working on but cacerts seems to not be correct as I can't manage iprint.

I am about to check the steps in the above script to see if I can't fix it.

-Nyle
This script is a wonderful tool for the community. Thank you.

Novell, There is no way that each of these services which typically rely on LDAP should have separate certificates stored all over the place. The certificates should all be in the same location and the system should rekey itself automatically. There should be no need for an admin to manually regenerate the keys and certainly not in so many areas.

This whole process should be automated and simplified.
Hi, I download and found errors in execution caused by null values to variables. To fix simply edit the script and on lines 105 and 107 enclose the variables in double quotes.

if [ "$nam_conf_server" == "$ipsmd_conf_dsserver1" ]; then
sameVar="1"
fi
if [ "$iprint_g_server" == "$ipsmd_conf_dsserver1" ]; then
printFilesSame="1"
fi
I have been using the script quite a bit lately and noticed that the rcowcimomd was attempting to run even though I'm on OES 11.1 and 11.2.

I updated the script so that it can check for version 11 or higher instead of just version 11.

Here is the diff


456a457
>
461a463,472
> # return 0 if program version is equal or greater than check version
> # http://fitnr.com/bash-comparing-version-strings.html - Louis Marascio
> check_version()
> {
> local version=$1 check=$2
> local winner=$(echo -e "$version\n$check" | sed '/^$/d' | sort -nr | head -1)
> [[ "$winner" = "$version" ]] && return 0
> return 1
> }
>
464,473c475,486
< printf "\n"
< echo '#===========Reloading Services==========================================#'
< if [ $oesVersion != "11" ]; then
< echo 'Restarting owcimomd.................................#'
< rcowcimomd restart
< fi
< echo 'Restarting namcd....................................#'
< rcnamcd restart
< echo 'Restarting apache2..................................#'
printf "\n"
> echo '#===========Reloading Services==========================================#'
> if check_version "$oesVersion" "11"; then
> echo "OES version is 11 or higher"
> else
> echo 'OES 10 Restarting owcimomd..........................#'
> rcowcimomd restart
> fi
> echo 'Restarting namcd....................................#'
> rcnamcd restart
> echo 'Restarting apache2..................................#'
> rcapache2 restart
475c488
printf "\n"
477d489
<
I would like to see this script moved to an official repo and become officially supported. It is basically a must have on OES servers.
I wholeheartedly agree!
Hi,

Thanks for the script. There are two errors with respect to the -r option to reload services.

1. the help text has a typo, it says 'nlap'. It should say 'nldap'.

2. the code section for reloadServices does not contain anything to reload the nldap service. It should contain something like:


echo 'Restarting LDAP service..................................#'
nldap -u
nldap -l


Not sure how this would relate to using the -l option which recreates the LUM cert and restarts the nldap service. If one used both options then nldap would be restarted twice I guess....

Cheers,

Ron
Nevermind. Reread the script and realized that -l and -r are mandatory, therefore nldap will be restarted by the -l option. Help text is misleading in that it states that the -r option will cause a reload of nldap which it doesn't.

Cheers,

Ron
Can you run this script (this process) against the server that has your CA? How about running it against the server running iManager?
Does eDirectory Certificate Server self-provisioning eliminate the need for this script? It seems that this script does a lot more than just have the CA re-key itself. I've had self-provisioning on for some time and I don't see how it corrects all the other eDirectory servers and services that rely on these certificates?

Can someone set me straight. Thanks.
Great script, used this many times. Needs to be updated for OES2015 though...

This server in not SUSE Linux Enterpriser Server 9 or 10

#=========== Results Summary ====================================#
All creations of the certificates SUCCEEDED


...but of course nothing actually got updated.

Hello,

I used option 2 but that does not re-create the SAS service object.  Is the SAS service object required?

 

Thanks,

Andrew Shearer

THANKS! This is gold, I just used the option "Recreate Certificates with "ndsconfig upgrade" very handy. Much quicker than doing via iManager.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2019-05-16 18:23
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.