Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
kab12312 Respected Contributor.
Respected Contributor.
988 views

Move Certifcate Authority to new Server or create a new CA

I have several, in three separate Trees, OES 2015.1, eDir 8.8 sp8 servers. I will be replacing these servers with SLES 12 sp3, eDir 9.1 servers. New VM, new name and IP, same Tree.

I have read moving an 8.8 CA to a 9.1 server is not recommended.

Should I create a new eDir 9.1 CA on one of the new 9.1 servers. What are the consequences.

Thank you!
Labels (1)
0 Likes
15 Replies
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

On 05/07/2019 08:54 AM, ka12312 wrote:
>
> I have several, in three separate Trees, OES 2015.1, eDir 8.8 sp8
> servers. I will be replacing these servers with SLES 12 sp3, eDir 9.1
> servers. New VM, new name and IP, same Tree.
>
> I have read moving an 8.8 CA to a 9.1 server is not recommended.


Have a link to that recommendation?

> Should I create a new eDir 9.1 CA on one of the new 9.1 servers. What
> are the consequences.


I migrated a system like this a month ago and had no issues with the CA
move. eDirectory 9.1 has more options fr more-secure CAs, but it seems to
run the old one just fine too so if changing hardware I would probably
prefer to stick with that which works, and then upgrade the CA as
appropriate once everything else is known to work. I personally prefer
limiting the number of things changing at a time as it makes isolating
problems (if/when they show up) easier.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
kab12312 Respected Contributor.
Respected Contributor.

Re: Move Certifcate Authority to new Server or create a new

http://support.novell.com/Platform/Publishing/711/3618399_f.1.html

Note 1: Problems will occur, specifically with the CRLs, moving a RootCA from a 8.8 SP8 to a 9.x server. This is not recommended. If moving the RootCA to a 9.x server is desired, first upgrade both the current and future CAs to 9.x before doing so

Looking for Docs to upgrade per the above link. Any recommendations as I'm not finding something explicit to upgrade an 8.8 CA to 9.1 CA.

Thank you!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

ka12312 wrote:

> Looking for Docs to upgrade per the above link. Any recommendations as
> I'm not finding something explicit to upgrade an 8.8 CA to 9.1 CA.


Updating Edir on the old box to 9.x will also update the CA code, I guess.

Since I did not read that TID before I just moved CAs from Edir 8.8.8.10 to
Edir 9.x servers in the same tree just by exporting the CA keys, deleting the
CA object, then recreating on the 9.x server from the export file. No problems
whatsoever with the new CA. But if the TID recommends updating the existing CA
first, why not just do it?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: Move Certifcate Authority to new Server or create a new

I have been looking for a doc to upgrade the CA and I can't find one. Any recommendations. Thank you.

lhaeger;2499372 wrote:
ka12312 wrote:

> Looking for Docs to upgrade per the above link. Any recommendations as
> I'm not finding something explicit to upgrade an 8.8 CA to 9.1 CA.


Updating Edir on the old box to 9.x will also update the CA code, I guess.

Since I did not read that TID before I just moved CAs from Edir 8.8.8.10 to
Edir 9.x servers in the same tree just by exporting the CA keys, deleting the
CA object, then recreating on the 9.x server from the export file. No problems
whatsoever with the new CA. But if the TID recommends updating the existing CA
first, why not just do it?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: Move Certifcate Authority to new Server or create a new

I am concerned about the CRL as I have no idea what apps may be using it. We use eDir for our LDAP environment with many different apps using eDir. There is one CRL on the CA (One) which issues every two weeks. Is this created by default or perhaps a previous admin created it. Any idea a way to find out which apps may be using it. Long shot I know. Appreciate your input.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Move Certifcate Authority to new Server or create a new CA

On 2019-05-15 17:36, ka12312 wrote:
>
> I am concerned about the CRL as I have no idea what apps may be using
> it. We use eDir for our LDAP environment with many different apps using
> eDir. There is one CRL on the CA (One) which issues every two weeks. Is
> this created by default or perhaps a previous admin created it. Any idea
> a way to find out which apps may be using it. Long shot I know.
> Appreciate your input.


Did you put a Certificate Revocation List Distribution Point extension
into the certificates issued by this CA? That is what applications would
use to retrieve the CRL.


--
Norbert
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: Move Certifcate Authority to new Server or create a new

In another Tree, I have six Trees, there are the following CRLs:
One (for RSA)
OneEC (for ECDSA)

They both have distribution points. However I inherited this system so I don't know if they are being used. Is there a way to tell? Will these migrate over?

There are are 4 DP configured: LDAP, LDAPS, http and https.

Thank you!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

ka12312 wrote:

> They both have distribution points. However I inherited this system so
> I don't know if they are being used. Is there a way to tell? Will
> these migrate over?
>
> There are are 4 DP configured: LDAP, LDAPS, http and https.


Again, check if there are actually revoked certs being distributed in those
CRLs. Export them via iManager. Also take note of the distribution point URLs.

After the update, check if the CRLs are OK and if not, replace the contained
certs with your backup and correct the distribution points if required.

To check if clients are actually querying the URLs you could run ndstrace
(LDAP/S only) and/or tcpdump/wireshark and monitor those URLs for some time.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

On 05/21/2019 02:34 AM, Lothar Haeger wrote:
> ka12312 wrote:
>
> To check if clients are actually querying the URLs you could run ndstrace
> (LDAP/S only) and/or tcpdump/wireshark and monitor those URLs for some time.


Note that tcpdump only is an option if you run it on the client side of
the connection (and then guess based on the target IP, which may also be
used for other things like the desired LDAPS services protected by a
certificate) or if the CRL check happens without TLS (two of the default
distribution points use HTTPS and LDAPS, meaning you will not be able to
see the traffic's contents above layer four (4). Of course, the
applications using the CRLs (if there are any; it's really rare) will
probably give a message that is pretty clear in their logs.

You could perhaps try breaking the CRLs ahead of time temporarily just to
see if anything balks before you migrate.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Move Certifcate Authority to new Server or create a new CA

On 2019-05-20 20:54, ka12312 wrote:
>
> In another Tree, I have six Trees, there are the following CRLs:
> One (for RSA)
> OneEC (for ECDSA)
>
> They both have distribution points. However I inherited this system so
> I don't know if they are being used. Is there a way to tell? Will
> these migrate over?
>
> There are are 4 DP configured: LDAP, LDAPS, http and https.


Clients with CRL support extract these URLs form the crldp extension on
the certificate presented by the server. Then they connect to these URLs
to retrieve the CRL. You cannot change the crldp in certificates that
have already been issued.

I've had one customer who had configured an LDAP crldp. They then turned
on enforce TLS on all connections in eDirectory. That caused eDirectory
to reject requests for the LDAP crldp URL which in turn caused the
client (an edir2edir driver) to abort its connection attempt.

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

Norbert Klasen wrote:

> I've had one customer who had configured an LDAP crldp. They then turned on
> enforce TLS on all connections in eDirectory. That caused eDirectory to
> reject requests for the LDAP crldp URL which in turn caused the client (an
> edir2edir driver) to abort its connection attempt.


Just to mek sure I understand that correctly.

a CRL had an LDAP (non-TLS) distribution point configured. Then Edir started
requiring TLS for everything, and an IDM driver running in another tree checked
the non-TLS CRL URL and the connection attempt got rejected (as expected).

Was there no LDAPS distribution point configured or did the client (IDM
Edir2Edir driver) not even attempt to utilize the other URLs (if present)?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Move Certifcate Authority to new Server or create a new CA

On 2019-05-21 13:20, Lothar Haeger wrote:
> Norbert Klasen wrote:
>
>> I've had one customer who had configured an LDAP crldp. They then turned on
>> enforce TLS on all connections in eDirectory. That caused eDirectory to
>> reject requests for the LDAP crldp URL which in turn caused the client (an
>> edir2edir driver) to abort its connection attempt.

>
> Just to mek sure I understand that correctly.
>
> a CRL had an LDAP (non-TLS) distribution point configured. Then Edir started
> requiring TLS for everything, and an IDM driver running in another tree checked
> the non-TLS CRL URL and the connection attempt got rejected (as expected).
>
> Was there no LDAPS distribution point configured or did the client (IDM
> Edir2Edir driver) not even attempt to utilize the other URLs (if present)?


Sorry, can't remember if the certificate had in fact other DPs than the
LDAP one.

DPs with TLS need extra care:

https://tools.ietf.org/html/rfc5280#section-8

When certificates include a cRLDistributionPoints extension with an
https URI or similar scheme, circular dependencies can be introduced.
The relying party is forced to perform an additional path validation
in order to obtain the CRL required to complete the initial path
validation! Circular conditions can also be created with an https
URI (or similar scheme) in the authorityInfoAccess or
subjectInfoAccess extensions. At worst, this situation can create
unresolvable dependencies.

CAs SHOULD NOT include URIs that specify https, ldaps, or similar
schemes in extensions. CAs that include an https URI in one of these
extensions MUST ensure that the server's certificate can be validated
without using the information that is pointed to by the URI. Relying
parties that choose to validate the server's certificate when
obtaining information pointed to by an https URI in the
cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess
extensions MUST be prepared for the possibility that this will result
in unbounded recursion.


--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

Norbert Klasen wrote:

> DPs with TLS need extra care:


Yeah, that sounds like fun! 🙂

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Move Certifcate Authority to new Server or create a new CA

ka12312 wrote:

> Any recommendations


Open a service request to get it straight from the horse's mouth.

Support will also be able to tell you, how to make sure any existing CRLs can
be migrated, if necessary. I suspect, deleting and re-creating the CRL is all
that's required.

Does your existing CRL actually lists revoked certs, btw? Check in iManager
(Cert Server > Configure CA > CRL > Details): it is usually empty. If it is in
your setup as well, nothing to worry about in the first place.

And if you really distribute a list of revoked certs, you could export them
from iManager and reimport them again into a fresh CRL after the Update (in
case the CRL gets destroyed somehow and you have to delete/recreate). Do not
forget to take note of the distribution points as well, those should not
change, I guess.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.