Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
971 views

Importing a Third-Party Certificate into eDir- invalid CRL

Hi

I have 3rd party certificate that I want to import into eDirectory 9.0.4.

The CA who signed the CSR sent the following files:

a. signedcertificate.cer
b. intermediateCA.cer
c. rootCA.cer

The CSR was NOT created using eDirectory. It was generated using openssl on a SLES12 SP2 server:

Original CSR file = request.csr
PrivateKey file = private.key

I generate .pfx certificate for import into eDirectory using iManager 3.0.2.1.

When I valid the certificate with iManager >> Roles and task >> Security >> NetIQ Certificate Access >> Server Certificates, I received the following response: Invalid: Unable to read CRL




CRL is:

[1]Punto de distribución CRL
Nombre del punto de distribución:
Nombre completo:
Dirección URL=ldap:///CN=PKI2BancoAVvillas,CN=Acagua,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=organizacion,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
Dirección URL=file:////Acagua.BancoAVvillas.net/CertEnroll/PKI2BancoAVvillas.crl
Dirección URL=http://extranet.com.co/terceros/PKI2BancoAVvillas.crl
Dirección URL=http://Acagua.BancoAVvillas.net/CertEnroll/PKI2BancoAVvillas.crl



How I can resolve this?

TIA
Labels (1)
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Importing a Third-Party Certificate into eDir- invalid C

This doesn't necessarily impose a problem. Initially it just means that imanager can't reach the URLs which is not uncommon in a firewalled environment (at least as for the ldap and file URLs). The third one seems to be available, so you might want to check whether you can reach it with a browser from the box where imanager is installed.
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Importing a Third-Party Certificate into eDir- invalid C

Hi Mathias.

The third URL is on the internet. The server not connection to internet.

Is it necessary for the server where this iManager has connectivity to the 4 URLs?

TIA
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Importing a Third-Party Certificate into eDir- invalid C

As for imanager: no. It will, of course, keep on complaining that it can't read the URL on validating. Let it complain. Or don't validate.
But i'd assume you want to really USE this cert somewhere (webserver, ldap, whatsoever). Depending on what this "somewhere" is, there *might* be problems. Most important: there'll likely be clients connecting to this "somewhere". If it's e.g. a browser it will, depending on its config, complain or even completely reject connections.
This doesn't seem to be a cert signed by an official CA, right?
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Importing a Third-Party Certificate into eDir- invalid C

Hi,

If it is an official CA (internal CA of my customer) and it will be configured in the eDirectory servers, for the secure connection by port 636.

Some applications will perform user authentication to eDirectory.


We must have something in consideration?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Importing a Third-Party Certificate into eDir- invalid C

Well, an "official", commercial CA would likely not issue a CRL URL of type "file". Anyway, it all depends on the connecting instances and how they're coded. If a piece of software is coded to really check CRLs and is unable to do so it might just drop the connection attempt.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.