Highlighted
Absent Member.
Absent Member.
2397 views

Organizational CA - Move and Renew

Our organizational CA is going to expire soon and I want to move it to a new server along with renewing it. I am going to follow option 2 from TID 3618399 but have a couple things I would like to verify first. I am trying to understand how services are going to be affected during this process, specially ldap.

1. This option will also renew the organizational CA, not just recreate at the current expiration date ?

2. The document indicates that once you delete the old CA object, the existing certs will still function until they expire. However, once I create the new CA and run pkidiag on my servers, then will things break for services such as ldap that are using the certs ? The servers should be rebooted after running pkidiag ?

3. I had read some other documents that you should delete the cert objects in the tree, does this need to be done ? This document does not indicate this.

4. My main concern is ldap services so I am trying develop a plan to complete this without an interruption of services. Or do I need to schedule a time to do this off hours ?
Labels (1)
0 Likes
3 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Deborahshields,
> 1. This option will also renew the organizational CA, not just
> recreate at the current expiration date ?


Assuming that you delete and recreate, yes. Option II

> 2. The document indicates that once you delete the old CA object, the
> existing certs will still function until they expire. However, once I
> create the new CA and run pkidiag on my servers, then will things break
> for services such as ldap that are using the certs ? The servers should
> be rebooted after running pkidiag ?


When you run PKIDIAG after recreating the CA, it will use the new CA to
mint the certificates. There is no need to reboot the servers after
running PKIDIAG, reloading NLDAP and Tomcat should suffice.

> 3. I had read some other documents that you should delete the cert
> objects in the tree, does this need to be done ? This document does not
> indicate this.


What other documents?

> 4. My main concern is ldap services so I am trying develop a plan to
> complete this without an interruption of services. Or do I need to
> schedule a time to do this off hours ?


I wuuld do it after hours.

- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks for the quick reply, it is greatly appreciated. I believe I read about deleting the certs here on the forum, but can't find it now so maybe I was looking at something else. Since running pkidiag is going to break the old certs, I can do this in a staggered approach though ? For example, delete and re-create the CA, then run pkidiag on a couple servers, do some testing, make sure everything is working and then go back and do the other servers a few days later ?
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Deborahshields,
> Thanks for the quick reply, it is greatly appreciated. I believe I read
> about deleting the certs here on the forum, but can't find it now so
> maybe I was looking at something else.


Or here:

"1. Delete the Organizational CA object.
NOTE: Deleting the Organizational CA object will not invalidate any
certificates that have been signed by the Organizational CA, such as the
Certificates (Key Material Objects) created for each of your servers. They
will continue to function until they expire. However, you will not be able
to install new servers into the tree or issue new certificates until you
delete and create a new Certificate Authority."


> Since running pkidiag is going
> to break the old certs, I can do this in a staggered approach though ?
> For example, delete and re-create the CA, then run pkidiag on a couple
> servers, do some testing, make sure everything is working and then go
> back and do the other servers a few days later ?


Should not be a problem, but that sort of depends on what your apps are
doing LDAP-wise.


- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.