dchunt Absent Member.
Absent Member.
1404 views

Confusion over SSL certs for SLES OES

On a SLES 11 SP3 with OES11 SP2 server, if I use Yast, go to ‘Security and Users’ then choose ‘CA Management’ and enter the CA, I can see when the CA will expire. There is also a ‘Certificates’ option. When I look at this option I will see a certificate associated with the DNS name of the host.
If I back out of the CA to ‘Security and Users’ there is another option called ‘Common Server Certificate’. What is this certificate for?

Some of my hosts don’t show anything for the 'Common Server Certificate' while others have a certificate. Why?

How do the above certificates relate to what I see in iManager when I go to ‘NetIQ Certificate Access -Server Certificates’? Under there I can see up to 4 certificates which are:

DNS_AG_server.domain.edu
IP_AG_ipaddress
SSL_CertificateDNS
SSL_CertificateIP

What does it mean if I don’t have all of these in iManager?

In iManager, if I run the “NetIQ Certificate Server - Repair Default Certificates”, it looks like is rebuilds the “DNS_AG_server.domain.edu” and the “SSL_CertificateDNS” but not the “IP_AG_ipaddress” or the “SSL_CertificateIP”, why not?

After rebuilding the certs in iManager and checking to see that they are valid, if I re-launch Yast and look for the DNS name server certificate in the CA - it still shows expired. If I look at the Common Server Certificate, there still is none. Why does iManager now say the certs are valid but I don’t see that in Yast?

Thanks,

Dan
Labels (1)
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: Confusion over SSL certs for SLES OES

On 02/23/2016 03:56 PM, dchunt wrote:
>
> On a SLES 11 SP3 with OES11 SP2 server, if I use Yast, go to �Security
> and Users� then choose �CA Management� and enter the CA, I can see when
> the CA will expire. There is also a �Certificates� option. When I look
> at this option I will see a certificate associated with the DNS name of
> the host.
> If I back out of the CA to �Security and Users� there is another option
> called �Common Server Certificate�. What is this certificate for?


This all sounds like he stock SLES CA management, and I do not know that
is does (or does not) have any validity when it comes to Open Enterprise
Server (OES) because when you have OES you have eDirectory in place which
has its own CA.

In SLES-land, a new box gets a CA, and the Common Server Certificate is a
basic cert minted from that CA which then is exported to the filesystem
for use by one service or another (e.g. Apache httpd).

> Some of my hosts don�t show anything for the 'Common Server Certificate'
> while others have a certificate. Why?


I do not know for sure, but if what I wrote above is correct, it's
probably neither here nor there. Maybe some boxes were built as SLES
boxes and then later setup as OES boxes via the OES add-on. If so, the
default SLES install would have setup the SLES CA and its accompanying
Common Server Certificate, even though that is not (I do not think)
normally used directly by OES like it is by SLES.

> How do the above certificates relate to what I see in iManager when I go
> to �NetIQ Certificate Access -Server Certificates�? Under there I can
> see up to 4 certificates which are:
>
> DNS_AG_server.domain.edu
> IP_AG_ipaddress
> SSL_CertificateDNS
> SSL_CertificateIP


If my untested assumptions are correct, they basically do not relate,
other than the subject names of the certs may be the same since they're
all on the same box and that's kind of the point of a DNS-based subject
name on a cert. Also, both types of certs are coming from what is
essentially a private CA (SLES's or eDirectory's) so in either case they
are not trusted by the wide world, though that's not usually required for
proper use outside of trust relationships.

> What does it mean if I don�t have all of these in iManager?


Either they did not get created, or else they were deleted. Some certs
are created by default, or were in the past, but those not needed are
sometimes no-longer created by default, e.g. SSL CertificateIP may not be
with the latest code, or at least will not be updated.

> In iManager, if I run the �NetIQ Certificate Server - Repair Default
> Certificates�, it looks like is rebuilds the �DNS_AG_server.domain.edu�
> and the �SSL_CertificateDNS� but not the �IP_AG_ipaddress� or the
> �SSL_CertificateIP�, why not?


The latest version of eDirectory changed these two to no-longer maintain
them like they were in the past, primarily because their functionality was
also available in their DNS counterparts . Using an Subject Alternative
Name on a cert for the IP address(es) applicable to a service, the primary
Subject of a DNS name can be used while also allowing valid connections
directly via IPs. Since the vast majority of services do (and should)
connect via DNS for long-term maintenance reasons, the old certs, which
were not used by OES or eDirectory services by default, are no-longer
created/updated by default. If they existed before this change, they are
also not deleted automatically just in case something IS using them.

> After rebuilding the certs in iManager and checking to see that they are
> valid, if I re-launch Yast and look for the DNS name server certificate
> in the CA - it still shows expired. If I look at the Common Server
> Certificate, there still is none. Why does iManager now say the certs
> are valid but I don�t see that in Yast?


Yes, this is still, I believe, completely independent of the OES side of
things. You are welcome to have as many CAs in your life as you'd like,
but on OES I would just stick with the eDirectory ones because they are
easier to manage, replicated, and can be configured to export o the
filesystem automatically as well (and probably are by default).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.