bobbintb Absent Member.
Absent Member.
642 views

PKI Error -1226 A certificate was not found in the NDS tree


I am getting the following error when trying to import a certificate in
iManager:

PKI Error -1226 A certificate was not found in the NDS tree certificate
authority (CA) object or Server Certificate Object (also known as the
Key Material Object).

I found this thread in relation to it:

http://tinyurl.com/j2yvpbs

I don't really have a lot of experience with certificates so I'm not
quite sure how to fix the issue. The certificates are from GoDaddy and
are x509.


--
bobbintb
------------------------------------------------------------------------
bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=55398

Labels (1)
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: PKI Error -1226 A certificate was not found in the NDS tree

Care to elaborate on what exactly you were doing to start all of this?
Can you create a new KMO on an existing server that otherwise works? Is
your tree CA present and healthy (check via iManager usually)? Were you
trying to use third-party certificates, and if so how very-specifically?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bobbintb Absent Member.
Absent Member.

Re: PKI Error -1226 A certificate was not found in the NDS tree


I'll try to explain as best I can. As I said, I don't have a lot of
experience and this was not set up by me.
Our security guy that is in charge of ordering and tracking certificates
from GoDaddy told me some of our certificates will be expiring soon and
we need to issue new ones. These are third-party external certificates.
I talked to him about it and looked up the documentation on what I
needed to do. I followed this guide as is seemed like what I was trying
to accomplish:

http://tinyurl.com/j4dd6s2

I generated the CSR according to the documentation and I gave the CSR to
our guy and he gave me back the certificates. When I went to import them
I got the error. I chose "External certificate authority" when
generating the CSR and I didn't realize until now when I looked back at
the page but I guess I would need GoDaddy's CA as well, wouldn't I? How
would I install it if that's the case? As near as I can tell our
organizational CA is there and valid. In iManager I went to Roles and
Tasks>Novell Certificate Server>Configure Certificate Authority and it
shows up as valid. As for the KMO question, I really don't know enough
to answer that.


--
bobbintb
------------------------------------------------------------------------
bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=55398

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: PKI Error -1226 A certificate was not found in the NDS tree

> I generated the CSR according to the documentation and I gave the CSR to
> our guy and he gave me back the certificates. When I went to import them
> I got the error. I chose "External certificate authority" when
> generating the CSR and I didn't realize until now when I looked back at
> the page but I guess I would need GoDaddy's CA as well, wouldn't I? How
> would I install it if that's the case? As near as I can tell our
> organizational CA is there and valid. In iManager I went to Roles and
> Tasks>Novell Certificate Server>Configure Certificate Authority and it
> shows up as valid. As for the KMO question, I really don't know enough
> to answer that.


Perhaps check out the 'External CAs' section of the eDirectory
documentation here:

https://www.netiq.com/documentation/edir88/crtadmin88/data/a5bwnsj.html#acsuu2b

The steps in there require using a proprietary, and crappy, browser, but
that is not necessary. The basic point is that your CA should have
provided you with the full chain of certificates all the way to their root
CA. Often this is just serverCert <- rootCA (arrows showing direction of
signing/trust), but more-often (in my experience) it is serverCert <-
intermediateCA <- rootCA. Keep in mind there can be multiple (zero to
many) intermediates, though one or two are common.

When importing the certificates, the full chain should be specified.
Creating that basically means opening a text editor and copying/pasting
the various certificate blocks (base64-encoded) into one big long file
that looks something like this:


------ BEGIN CERTIFICATE ------
LotsaBase64EncodedStuffG
oesHereWithTheCertificat
eDataContainedWithinIt==
------ END CERTIFICATE ------
------ BEGIN CERTIFICATE ------
LotsaBase64EncodedStuffG
oesHereWithTheCertificat
eDataContainedWithinIt==
------ END CERTIFICATE ------
------ BEGIN CERTIFICATE ------
LotsaBase64EncodedStuffG
oesHereWithTheCertificat
eDataContainedWithinIt==
------ END CERTIFICATE ------


I found this tool just now that will accept a certificate chain and create
the p7b for you: https://www.sslshopper.com/ssl-converter.html

The certificates used to build a p7b are not sensitive, as they are all
(by definition) public, so doing this should not be a huge security risk
as it would be if you were doing ANYTHING with your private key.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bobbintb Absent Member.
Absent Member.

Re: PKI Error -1226 A certificate was not found in the NDS tree


ab;265521 Wrote:
> > I generated the CSR according to the documentation and I gave the CSR

> to
> > our guy and he gave me back the certificates. When I went to import

> them
> > I got the error. I chose "External certificate authority" when
> > generating the CSR and I didn't realize until now when I looked back

> at
> > the page but I guess I would need GoDaddy's CA as well, wouldn't I?

> How
> > would I install it if that's the case? As near as I can tell our
> > organizational CA is there and valid. In iManager I went to Roles and
> > Tasks>Novell Certificate Server>Configure Certificate Authority and

> it
> > shows up as valid. As for the KMO question, I really don't know

> enough
> > to answer that.

>
> Perhaps check out the 'External CAs' section of the eDirectory
> documentation here:
>
> http://tinyurl.com/jc8omma
>
> The steps in there require using a proprietary, and crappy, browser,
> but
> that is not necessary. The basic point is that your CA should have
> provided you with the full chain of certificates all the way to their
> root
> CA. Often this is just serverCert <- rootCA (arrows showing direction
> of
> signing/trust), but more-often (in my experience) it is serverCert <-
> intermediateCA <- rootCA. Keep in mind there can be multiple (zero to
> many) intermediates, though one or two are common.
>
> When importing the certificates, the full chain should be specified.
> Creating that basically means opening a text editor and copying/pasting
> the various certificate blocks (base64-encoded) into one big long file
> that looks something like this:
>
> >

Code:
--------------------
> >

> ------ BEGIN CERTIFICATE ------
> LotsaBase64EncodedStuffG
> oesHereWithTheCertificat
> eDataContainedWithinIt==
> ------ END CERTIFICATE ------
> ------ BEGIN CERTIFICATE ------
> LotsaBase64EncodedStuffG
> oesHereWithTheCertificat
> eDataContainedWithinIt==
> ------ END CERTIFICATE ------
> ------ BEGIN CERTIFICATE ------
> LotsaBase64EncodedStuffG
> oesHereWithTheCertificat
> eDataContainedWithinIt==
> ------ END CERTIFICATE ------
>

--------------------
> >

>
> I found this tool just now that will accept a certificate chain and
> create
> the p7b for you: https://www.sslshopper.com/ssl-converter.html
>
> The certificates used to build a p7b are not sensitive, as they are
> all
> (by definition) public, so doing this should not be a huge security
> risk
> as it would be if you were doing ANYTHING with your private key.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Thanks for the help, the issue has been resolved. It was indeed that I
did not have everything in the chain. I found another thread with the
issue but I was not knowledgeable enough to implement their solution.


--
bobbintb
------------------------------------------------------------------------
bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=55398

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.