Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
1554 views

CA Expiration and Server Certs

We finally have all of our Netware servers migrated to OES11SP2. It has been a long process, but everything is working perfectly now.

My CA will be expiring in a couple of months though. I cannot remember what happened when the old Netware CA expired 10 years ago, but I did find TID #7013047 which details the process for OES. It seems kind of strange that you have to delete and recreate the CA rather than just renewing it, but that's OK since the process is pretty detailed.

All the certs that were generated from that original CA will also be expiring at the same time. With Netware, it was easy to do a pkidiag followed by tckeygen to update the certificates and get Tomcat working properly. I know that I can use the options in iManager to generate the new certificates. I haven't been able to find any steps on how to then make sure all the OES services are using the new certificate. I'm specifically worried about iPrint since we use it heavily across our organization. I've had issues in the past with certificates causing iPrint to stop working.

Can anyone point me to some steps to follow after generating new server certificates with iManager?

Thanks,
Jason
Labels (2)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi.

First things first, you should *absolutely* be able to export/import the
CA instead of fully deletng and recreating it from scratch.

Then, as for renewing your existing certificates, even if it's a pain,
overall it should be the best to reboot the whole servers after renewing
them. And iPrint really shouldn't have any issue with the reneweder
certs, especially not if you refresh the existing CA.

CU,
Massimo

On 08.02.2014 17:26, jmlester wrote:
>
> We finally have all of our Netware servers migrated to OES11SP2. It has
> been a long process, but everything is working perfectly now.
>
> My CA will be expiring in a couple of months though. I cannot remember
> what happened when the old Netware CA expired 10 years ago, but I did
> find TID #7013047 which details the process for OES. It seems kind of
> strange that you have to delete and recreate the CA rather than just
> renewing it, but that's OK since the process is pretty detailed.
>
> All the certs that were generated from that original CA will also be
> expiring at the same time. With Netware, it was easy to do a pkidiag
> followed by tckeygen to update the certificates and get Tomcat working
> properly. I know that I can use the options in iManager to generate the
> new certificates. I haven't been able to find any steps on how to then
> make sure all the OES services are using the new certificate. I'm
> specifically worried about iPrint since we use it heavily across our
> organization. I've had issues in the past with certificates causing
> iPrint to stop working.
>
> Can anyone point me to some steps to follow after generating new server
> certificates with iManager?
>
> Thanks,
> Jason
>
>



--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Absent Member.
Absent Member.

If I export and import, the expiration will still be the same though, right? I did use that procedure to move the CA from Netware to OES.

If I use iManager to renew certs for the servers after the CA is renewed , does it automatically fix Apache?

Thanks,
Jason
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Jason,

With regards to renewing the server certificates, there's a script that will handle everything for you: http://www.novell.com/communities/coolsolutions/cool_tools/certificate-recreation-script-oes1-and-oes2/

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Absent Member.
Absent Member.

laurabuckley;2305536 wrote:
Hi Jason,

With regards to renewing the server certificates, there's a script that will handle everything for you: http://www.novell.com/communities/coolsolutions/cool_tools/certificate-recreation-script-oes1-and-oes2/

Cheers,


Thank you Laura,

It seems to work like clock work.

//Mattias
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Mattias,

So glad that we could be of assistance to you 🙂

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

mrosen;2305497 wrote:
Hi.

First things first, you should *absolutely* be able to export/import the
CA instead of fully deletng and recreating it from scratch.

Then, as for renewing your existing certificates, even if it's a pain,
overall it should be the best to reboot the whole servers after renewing
them. And iPrint really shouldn't have any issue with the reneweder
certs, especially not if you refresh the existing CA.

CU,
Massimo

On 08.02.2014 17:26, jmlester wrote:
>
> We finally have all of our Netware servers migrated to OES11SP2. It has
> been a long process, but everything is working perfectly now.
>
> My CA will be expiring in a couple of months though. I cannot remember
> what happened when the old Netware CA expired 10 years ago, but I did
> find TID #7013047 which details the process for OES. It seems kind of
> strange that you have to delete and recreate the CA rather than just
> renewing it, but that's OK since the process is pretty detailed.
>
> All the certs that were generated from that original CA will also be
> expiring at the same time. With Netware, it was easy to do a pkidiag
> followed by tckeygen to update the certificates and get Tomcat working
> properly. I know that I can use the options in iManager to generate the
> new certificates. I haven't been able to find any steps on how to then
> make sure all the OES services are using the new certificate. I'm
> specifically worried about iPrint since we use it heavily across our
> organization. I've had issues in the past with certificates causing
> iPrint to stop working.
>
> Can anyone point me to some steps to follow after generating new server
> certificates with iManager?
>
> Thanks,
> Jason
>
>



--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de


Wasn't there a special case where you couldn't backup the CA? Like if you created it with NW 6.0 or something? Although I can't recall the specifics, or if it was ever fixed--I'm pretty sure there *used* to be a TID on that, other than we ran into it and had no choice but to delete/re-create and it was horrible (well horrible in that it was time-consuming to re-do all the certs on all the servers).

BUT that was a LOOONNNGG time ago.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.