shaunglass
New Member.
1025 views

iManagar Expired Certificate

Good Day,

We have an expired certificate on our iManager Server. Yes, I am aware of the common way to resolve this, but, since we have about 9 different environments we manage, this server does not exist in any of them to create new certificates via iManager.

How can we get this done ... ?

Regards
Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: iManagar Expired Certificate

I'm confused; which certificate is expired, exactly? You mentioned
iManager certificates, so I presume the one used for HTTPS to access
iManager itself, but that certificate has never (as far as I recall
anyway) been linked to any particular environment, and even though the
documentation tells you how to do that, it does not matter for anything
important because even the eDirectory CA is untrusted by clients by default:

https://www.netiq.com/documentation/imanager/imanager_install/data/bu3uiv1.html

If you want to have a third-party CA sign your certificate, the steps are
similar but documented online in a million places. You generate a
keypair, create a CSR to send to the CA, have them sign it and send back
the certificate, and then give that to Tomcat.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: iManagar Expired Certificate

shaunglass wrote:

>
> Good Day,
>
> We have an expired certificate on our iManager Server. Yes, I am aware
> of the common way to resolve this, but, since we have about 9 different
> environments we manage, this server does not exist in any of them to
> create new certificates via iManager.
>
> How can we get this done ... ?
>
> Regards


You can follow
https://www.netiq.com/documentation/imanager-3/imanager_install/data/b18ro0hi.ht
ml as of step 5 with any p12 private/public key pair in a format Tomcat
supports. When I have to create keys and certificates outside iManager I
usually use XCA (-> http://xca.sourceforge.net). Other options are openssl
(->https://www.madboa.com/geek/openssl/) or the Java keytool (->
https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html) or
Portecle (-> http://portecle.sourceforge.net).

Independent of the tool you use, the basic steps are:

- generate a key pair
- generate a signing request (CSR)
- have it signed by a CA of your choice (e.g. Edirectory via iManager)
- convert signed cert & private key to PKCS#12 format
- configure iManger's Tomcat to use it

Make sure the common name of your cert matches the host name uses will use to
access iManager and for good practice also add it as Subject Alternative Name
(SAN) as well as all alternative DNS names or ip addresses users might use in
their browsers. Only if he CN/SANs match the URL in the browser, no
errors/warnings will pop up.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: iManagar Expired Certificate

On 09/14/2017 03:01 PM, Lothar Haeger wrote:
>
> You can follow
> https://www.netiq.com/documentation/imanager-3/imanager_install/data/b18ro0hi.ht
> ml as of step 5 with any p12 private/public key pair in a format Tomcat
> supports. When I have to create keys and certificates outside iManager I
> usually use XCA (-> http://xca.sourceforge.net). Other options are openssl
> (->https://www.madboa.com/geek/openssl/) or the Java keytool (->
> https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html) or
> Portecle (-> http://portecle.sourceforge.net).
>
> Independent of the tool you use, the basic steps are:
>
> - generate a key pair
> - generate a signing request (CSR)
> - have it signed by a CA of your choice (e.g. Edirectory via iManager)
> - convert signed cert & private key to PKCS#12 format
> - configure iManger's Tomcat to use it
>
> Make sure the common name of your cert matches the host name uses will use to
> access iManager and for good practice also add it as Subject Alternative Name
> (SAN) as well as all alternative DNS names or ip addresses users might use in
> their browsers. Only if he CN/SANs match the URL in the browser, no
> errors/warnings will pop up.


Keep in mind that if you use Subject Alternative Names (SAN) then the main
certificate Subject is NOT checked so be really sure that if you add a SAN
you be sure the Subject is included as one of the SANs or you risk browser
errors.

With that written, I do not think I have a single client using third-party
certificates for iManager; the only instance I know about is my own, and
that's just because I have been experimenting with it behind NAM (mostly
works, often with drastically-improved performance because of caching made
possible by NAM).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.