New server certs not used by NRM

lpphiggp · ‎2013-10-10

Having recently recreated our CA last December (2012), we issued new certs to most of our servers.
(long story short, our old CA had not yet expired but a tech claimed it had and recreated our CA.. it was actually good until 2014)

I've found that typically, on our OES linux boxes however, when I generate new certs via iManager/Repair default certifidfates, the new certs do not translate over to the cert used by httpstk/Remote Manager.
On this one server, as an example, it's still using an old cert that was issued 2011, and says it's good until 2015.

Do I have to manually export and import the new certs? (and if so, why isn't that built-in to the repair certificates function in iManager?)

Furthermore, this old cert lists no CA in the chain. We definitely had one. This isn't' the first NRM cert I've seen exhibit this behavior either.

How do I get these certs to sync up with the ones the server is actually using in eDirectory?

Thanks
Paul

laurabuckley · ‎2013-10-11

Hi Paul,

As far as I'm aware you do need to export/import the certificates on a Linux based (OES) server.

Here's a good article on how to do it: Recreating Server Certificates on OES Linux - CoolSolutionsWiki

There's also a script available: https://www.novell.com/communities/node/5704/certificate-recreation-script-oes1-and-oes2

Please let us know how it goes.

Cheers,

Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...

lpphiggp · ‎2013-10-11

Thanks Laura!

Any idea why this functionality is not built into iManager's certificate module?

laurabuckley · ‎2013-10-11

Hi

I'm actually not 100% sure ! Perhaps it's time for an enhancement request: http://www.novel.com/rms

Cheers,

Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...

kjhurni · ‎2013-10-11

lpphiggp;2287456 wrote:
Having recently recreated our CA last December (2012), we issued new certs to most of our servers.
(long story short, our old CA had not yet expired but a tech claimed it had and recreated our CA.. it was actually good until 2014)

I've found that typically, on our OES linux boxes however, when I generate new certs via iManager/Repair default certifidfates, the new certs do not translate over to the cert used by httpstk/Remote Manager.
On this one server, as an example, it's still using an old cert that was issued 2011, and says it's good until 2015.

Do I have to manually export and import the new certs? (and if so, why isn't that built-in to the repair certificates function in iManager?)

Furthermore, this old cert lists no CA in the chain. We definitely had one. This isn't' the first NRM cert I've seen exhibit this behavior either.

How do I get these certs to sync up with the ones the server is actually using in eDirectory?

Thanks
Paul

httpstkd will use the default OES certs.

However, I've seen on MANY occasions:
1) After repairing the SSL certs, I need to reboot the server for things to take effect
and
2) NRM can use LUM. LUM (namcd) has an annoying habit of sometimes not replacing the actual certificate files. In other words, when you repair the eDir SSL cert, do a namconfig -k to re-pull the SSL certs down, it won't actually overwrite the file that's already on the file system that's corresponding to the updated SSL cert. I've (many times) had to manually delete the cert files, and then re-run namconfig -k and restart namcd

Administration

Linux