

Cadet 2nd Class
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2013-10-10
15:13
986 views
New server certs not used by NRM
Having recently recreated our CA last December (2012), we issued new certs to most of our servers.
(long story short, our old CA had not yet expired but a tech claimed it had and recreated our CA.. it was actually good until 2014)
I've found that typically, on our OES linux boxes however, when I generate new certs via iManager/Repair default certifidfates, the new certs do not translate over to the cert used by httpstk/Remote Manager.
On this one server, as an example, it's still using an old cert that was issued 2011, and says it's good until 2015.
Do I have to manually export and import the new certs? (and if so, why isn't that built-in to the repair certificates function in iManager?)
Furthermore, this old cert lists no CA in the chain. We definitely had one. This isn't' the first NRM cert I've seen exhibit this behavior either.
How do I get these certs to sync up with the ones the server is actually using in eDirectory?
Thanks
Paul
(long story short, our old CA had not yet expired but a tech claimed it had and recreated our CA.. it was actually good until 2014)
I've found that typically, on our OES linux boxes however, when I generate new certs via iManager/Repair default certifidfates, the new certs do not translate over to the cert used by httpstk/Remote Manager.
On this one server, as an example, it's still using an old cert that was issued 2011, and says it's good until 2015.
Do I have to manually export and import the new certs? (and if so, why isn't that built-in to the repair certificates function in iManager?)
Furthermore, this old cert lists no CA in the chain. We definitely had one. This isn't' the first NRM cert I've seen exhibit this behavior either.
How do I get these certs to sync up with the ones the server is actually using in eDirectory?
Thanks
Paul
4 Replies
laurabuckley

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2013-10-11
08:46
Hi Paul,
As far as I'm aware you do need to export/import the certificates on a Linux based (OES) server.
Here's a good article on how to do it: Recreating Server Certificates on OES Linux - CoolSolutionsWiki
There's also a script available: https://www.novell.com/communities/node/5704/certificate-recreation-script-oes1-and-oes2
Please let us know how it goes.
Cheers,
As far as I'm aware you do need to export/import the certificates on a Linux based (OES) server.
Here's a good article on how to do it: Recreating Server Certificates on OES Linux - CoolSolutionsWiki
There's also a script available: https://www.novell.com/communities/node/5704/certificate-recreation-script-oes1-and-oes2
Please let us know how it goes.
Cheers,
Laura Buckley
Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...


Cadet 2nd Class
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2013-10-11
15:17
Thanks Laura!
Any idea why this functionality is not built into iManager's certificate module?
Any idea why this functionality is not built into iManager's certificate module?
laurabuckley

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2013-10-11
16:36
Hi
I'm actually not 100% sure ! Perhaps it's time for an enhancement request: http://www.novel.com/rms
Cheers,
I'm actually not 100% sure ! Perhaps it's time for an enhancement request: http://www.novel.com/rms
Cheers,
Laura Buckley
Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2013-10-11
18:41
lpphiggp;2287456 wrote:
Having recently recreated our CA last December (2012), we issued new certs to most of our servers.
(long story short, our old CA had not yet expired but a tech claimed it had and recreated our CA.. it was actually good until 2014)
I've found that typically, on our OES linux boxes however, when I generate new certs via iManager/Repair default certifidfates, the new certs do not translate over to the cert used by httpstk/Remote Manager.
On this one server, as an example, it's still using an old cert that was issued 2011, and says it's good until 2015.
Do I have to manually export and import the new certs? (and if so, why isn't that built-in to the repair certificates function in iManager?)
Furthermore, this old cert lists no CA in the chain. We definitely had one. This isn't' the first NRM cert I've seen exhibit this behavior either.
How do I get these certs to sync up with the ones the server is actually using in eDirectory?
Thanks
Paul
httpstkd will use the default OES certs.
However, I've seen on MANY occasions:
1) After repairing the SSL certs, I need to reboot the server for things to take effect
and
2) NRM can use LUM. LUM (namcd) has an annoying habit of sometimes not replacing the actual certificate files. In other words, when you repair the eDir SSL cert, do a namconfig -k to re-pull the SSL certs down, it won't actually overwrite the file that's already on the file system that's corresponding to the updated SSL cert. I've (many times) had to manually delete the cert files, and then re-run namconfig -k and restart namcd