Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
248 views

Replacing Expired CA


Hi,
My eDirectory Certificate Authority is due to expire in April so I guess
I need to replace it - what a pain! The questions is what is the best
way to do this? I mainly use the CA it for issuing server certificates
for LDAPS, IDM and so on, so its no big deal re-generating the
certificates. What I am not sure about is the procedure. Do I delete
the current CA object first, and then create a new one, or do I create
the new one and then delete the old one (can you even have two CAs)?
Also, if I delete the CA, will the associated default certificates be
deleted automatically or do I need to delete them manually?

My initial plan:
1) Export current CA, just in case
2) Delete current CA
3) Delete default certificates. I am not sure about this step:-
- are they deleted automatically
- do they not need deleting or are they will be overwritten by step
5
- what will happen to services using these certificates if they are
deleted?
4) Create new CA
5) Create default certificates - if not already done so in step 4
6) Create new server certificates
7) Restart services using the certificates e.g. LDAP, HTTPSTKD

Is there a TID for this? I could not find one.

I am running eDirectory 8.8 SP5 on SLES 10 SP2.

Any advice would be welcome.
Regards
Steve Tennant


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=46704

Labels (1)
0 Likes
2 Replies
hpfeil Absent Member.
Absent Member.

Re: Replacing Expired CA

check out TID 3618399. Yep it is for moving the ca to another server but it might help a bit.

I just moved my ca to another server and it took all of 10 mins.

Default certs will remain good until they expire. But, if you want new ones just go to iManager > Novell Certificate Server > Repair Default Certificates.

-Hans



>>> On 2/4/2013 at 9:44 AM, in message <sttennant.5q8vfc@no-mx.forums.netiq.com>, sttennant<sttennant@no-mx.forums.netiq.com> wrote:



Hi,
My eDirectory Certificate Authority is due to expire in April so I guess
I need to replace it - what a pain! The questions is what is the best
way to do this? I mainly use the CA it for issuing server certificates
for LDAPS, IDM and so on, so its no big deal re-generating the
certificates. What I am not sure about is the procedure. Do I delete
the current CA object first, and then create a new one, or do I create
the new one and then delete the old one (can you even have two CAs)?
Also, if I delete the CA, will the associated default certificates be
deleted automatically or do I need to delete them manually?

My initial plan:
1) Export current CA, just in case
2) Delete current CA
3) Delete default certificates. I am not sure about this step:-
- are they deleted automatically
- do they not need deleting or are they will be overwritten by step
5
- what will happen to services using these certificates if they are
deleted?
4) Create new CA
5) Create default certificates - if not already done so in step 4
6) Create new server certificates
7) Restart services using the certificates e.g. LDAP, HTTPSTKD

Is there a TID for this? I could not find one.

I am running eDirectory 8.8 SP5 on SLES 10 SP2.

Any advice would be welcome.
Regards
Steve Tennant


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=46704
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Replacing Expired CA


Hi Hans,
Thanks for the information. I have read the TID which includes a
section on creating a CA, so, very helpful.
Regards
Steve Tennant


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=46704

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.