indranil2121
New Member.
404 views

Server certificate expire issue

In our imanager -->role and task--> server certificate, we see that all the certificate(AG DNS certificate, SSL DNS certificate and etc) are going to expire in 10 days.
We are wondering, is there any way to renew those certificates or else we need to create new certificate?
What will be the impact on renewing a certificate or newly created certificate?
What are the steps to create or renew those certificates through imanager?
Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Server certificate expire issue

On 4/8/2019 12:34 PM, indranil2121 wrote:
>
> In our imanager -->role and task--> server certificate, we see that all
> the certificate(AG DNS certificate, SSL DNS certificate and etc) are
> going to expire in 10 days.
> We are wondering, is there any way to renew those certificates or else
> we need to create new certificate?
> What will be the impact on renewing a certificate or newly created
> certificate?
> What are the steps to create or renew those certificates through
> imanager?


The Repair Default certs will recreate new certs of the same name, same
config, but new keys. But anything that trusts the Tree CA will still
trust the new certs, since the CA Is still the same.

However, the definition of Default certs has changed and is mostly the
SSL CertificateDNS and no longer updates the SSL CertificateIP.

The impact will depend on what is using them, and how they decided to
trust them. It is possible to trust a specific certificate, as opposed
to the signer of the certificate. If that was done, then it will need to
be redone. If thehy trusted the CA, see above, all should be fine.


0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Server certificate expire issue

On 04/08/2019 11:08 AM, Geoffrey Carman wrote:
> The impact will depend on what is using them, and how they decided to
> trust them. It is possible to trust a specific certificate, as opposed to
> the signer of the certificate. If that was done, then it will need to be
> redone. If thehy trusted the CA, see above, all should be fine.


It may also be useful to mention that while things within eDirectory use
certificate objects to get their data, it is also not uncommon to export
the objects to put them on other machines (e.g. web application services,
iManager, etc.) and in that case even if you renew the object you MUST
renew the export of the public and private key to anything using those.
To know what those things are, consult your notes on things done in the
past. If you lack those notes, start looking for TLS/SSL connections now,
and comparing subjects of certificates presented by things you find to see
if they match the certificates within eDirectory.

Otherwise Geoffrey's correct; use 'Repair Default Certificates' and the
default things, e.g. SSL CertificateDNS', will be updated, and the next
time you restart services using those certificates, they'll load the new
ones and all will be well (i.e. restart eDirectory).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Server certificate expire issue

On 4/8/2019 1:37 PM, ab wrote:
> On 04/08/2019 11:08 AM, Geoffrey Carman wrote:
>> The impact will depend on what is using them, and how they decided to
>> trust them. It is possible to trust a specific certificate, as opposed to
>> the signer of the certificate. If that was done, then it will need to be
>> redone. If thehy trusted the CA, see above, all should be fine.

>
> It may also be useful to mention that while things within eDirectory use
> certificate objects to get their data, it is also not uncommon to export
> the objects to put them on other machines (e.g. web application services,
> iManager, etc.) and in that case even if you renew the object you MUST
> renew the export of the public and private key to anything using those.
> To know what those things are, consult your notes on things done in the
> past. If you lack those notes, start looking for TLS/SSL connections now,
> and comparing subjects of certificates presented by things you find to see
> if they match the certificates within eDirectory.
>
> Otherwise Geoffrey's correct; use 'Repair Default Certificates' and the
> default things, e.g. SSL CertificateDNS', will be updated, and the next
> time you restart services using those certificates, they'll load the new
> ones and all will be well (i.e. restart eDirectory).


I had a client, using some IBM app, that would NOT listen to me, and
kept exporting the certificate public key, even after I gave them the
Tree CA public key, and they kept getting issues when LDAP servers SSL
cert was updated. It was amazing how little they listened. The first
time in Dev, seemed ok, then they did it in Prod after saying they would
not, so when the cert expired, they broke. They fixed it, again nsaying
they would do it correct, but they didn't and two years later we were
back again, same issue.

Some people, you know?
0 Likes
indranil2121
New Member.

Re: Server certificate expire issue

But the Organization tree CA self signed certificates (OU=Organizational CA.O=IDV-TREE and Self Signed Certificate RSA) is expired. How to renew the Organization tree CA self signed certificate first, so I can repair default server certificate. Is there any steps to follow to do this job through imanager ?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Server certificate expire issue

See Lothar's response to your new thread:

https://forums.novell.com/showthread.php?t=511933

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.