InmaGP Absent Member.
Absent Member.
1126 views

iManager 2.7.4 Third party certificate expired

Hi guys!

It's been a while since my last post but i'm here again with another question.

I'm trying to renew a certificate signed by an external CA, they pass me the .p12 only.

I login with a user with the appropriate rights.
From the "Roles and Tasks" menu, click "Novell Certificate Access -> Server Certificates", then click the check-box of the expired certificate and click on "Replace", i select the pkcs12, i write the password they gave me and next until the "Finish" button but nothing happens.

Another thing that i have done:

From the "Roles and Tasks" menu, click "Novell Certificate Server -> Create Server Certificate", i put the server and the KMO, then i choose "Import", i browse the pkcs12 with the password and when i click Finish this is the error that comes out:
"PKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object). "

I check that the plugin is updated and restarted Tomcat.

what am I doing wrong?
Thank you for any response!

Regards
Labels (1)
0 Likes
9 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: iManager 2.7.4 Third party certificate expired

I'm not sure what is wrong, but another option may be to just import the
PKCS12 (.p12) file into a new key material object (KMO) to see if that
works any better. Create Server Certificate: Import: import the file. I
believe that should function the same way, though of course you'll now
have a second KMO, but that's fine since either this can be done for a
test, or you can even use this as your new KMO going forward, depending on
your needs.

On the other hand, it'd odd that an external CA would give you a PKCS12
file because normally those include private keys, and unless you did
something unusual (politely meaning wrong) nobody should ever have your
private key. Perhaps it would help if you explained how this KMO was
originally created. I am assuming you created a Certificate Signing
Request (CSR) from iManager, then sent the public key data to the CA for
their signature, and they would then have sent back a file with the full
certificate and chain, maybe in a P7B file.

If the file they send you only has the public key (and possibly chain)
within, then you need to merge that with the private key before using the
Replace method. Again, the Replace option only really matters if they
have the full PFX file, meaning including the private key. Otherwise, see
if the 'Import' option will work for you if you have a P7B file.

If using a PFX/PKCX12/P12 file and you are using 'Replace' and you are
sure that is all correct, perhaps try creating a new server object and
then using 'Replace with that. Another option may be to try a newer
version of iMangaer, maybe using iManager Workstation, to see if that
makes any difference.

Which eDirectory version do you use? iManager 2.7 SP4 is very old, so
patching that may help, especially if eDirectory is new.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
InmaGP Absent Member.
Absent Member.

Re: iManager 2.7.4 Third party certificate expired

Thaks for your reply ab!

I work in the client's office and we are different companies.
One of them is the one that requested the certificate and they generated the .p12 with the private key with openssl and they passed it to me with the password.
My job is change the expired certificate for the new one.

The version that is installed is IDM 3.6, I know it is old but they are currently with a project to update IDM 4.7 but the problem is with the 3.6 that they are using daily for now.

I have also tried the possible solutions, but they do not substitute the certificate;
- if I create a new object with the "import" option, it gives the same error (-1226)
- if I create the object with the "custom" option, I choose "External certificate authority" and the rest of the options by default, I have to finish and save the certificate, if I then try to "import", it gives me the same error again
- if I create it with the "standard" option, and after finishing, I select it and click on "Replace", nothing happens, it does not do anything.

I've been doing this for weeks and I've tried everything, I've updated the iManager certificate plugins.

Thanks for any help!
Regards
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: iManager 2.7.4 Third party certificate expired

On 12/28/2018 01:44 AM, InmaGP wrote:
>
> I work in the client's office and we are different companies.
> One of them is the one that requested the certificate and they generated
> the .p12 with the private key with openssl and they passed it to me with
> the password.
> My job is change the expired certificate for the new one.


Do you have the steps that they use to generate the certificate? It
should be easy to duplicate that here, preferably knowing the version of
openssl they are using so we can compare that too, to then try duplicating
the import of a p12/pfx file into eDirectory.

> The version that is installed is IDM 3.6, I know it is old but they are
> currently with a project to update IDM 4.7 but the problem is with the
> 3.6 that they are using daily for now.


Just to be clear, how does this impact Identity Manager (IDM), if at all?
Perhaps this is just in the same tree as IDM, but IDM itself is fine and
this is for something else. It is unusual to use custom certificates for
IDM on the eDirectory side, so if that's the case knowing more details
about why would be nice.

Which version of eDirectory are you running on each box in the tree?

iManager is the part I was concerned about with regard to versions, in
addition to eDirectory. The certificate plugin version may matter, but
considering how much TLS/SSL technologies have changed in the past five
(5) years, it is possible that normal upgrades have left you with an
incompatibility between client (iManager) and server (eDirectory), or
between certs from other systems (openssl) and everything on this side,
especially if openssl is current.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
InmaGP Absent Member.
Absent Member.

Re: iManager 2.7.4 Third party certificate expired

ab;2492999 wrote:
On 12/28/2018 01:44 AM, InmaGP wrote:
>
> I work in the client's office and we are different companies.
> One of them is the one that requested the certificate and they generated
> the .p12 with the private key with openssl and they passed it to me with
> the password.
> My job is change the expired certificate for the new one.


Do you have the steps that they use to generate the certificate? It
should be easy to duplicate that here, preferably knowing the version of
openssl they are using so we can compare that too, to then try duplicating
the import of a p12/pfx file into eDirectory.


I can ask what are the steps that they follow and I post here, the communication is not very transparent...

ab;2492999 wrote:
On 12/28/2018 01:44 AM, InmaGP wrote:
> The version that is installed is IDM 3.6, I know it is old but they are
> currently with a project to update IDM 4.7 but the problem is with the
> 3.6 that they are using daily for now.


Just to be clear, how does this impact Identity Manager (IDM), if at all?
Perhaps this is just in the same tree as IDM, but IDM itself is fine and
this is for something else. It is unusual to use custom certificates for
IDM on the eDirectory side, so if that's the case knowing more details
about why would be nice.

Which version of eDirectory are you running on each box in the tree?

iManager is the part I was concerned about with regard to versions, in
addition to eDirectory. The certificate plugin version may matter, but
considering how much TLS/SSL technologies have changed in the past five
(5) years, it is possible that normal upgrades have left you with an
incompatibility between client (iManager) and server (eDirectory), or
between certs from other systems (openssl) and everything on this side,
especially if openssl is current.


There is only one tree and in this case it is just a single server, no replicas.

I can tell you version of:
eDirectory: Novell eDirectory 8.8 SP6 v20605.01
openssl: OpenSSL 0.9.8h 28 May 2008

They haven't update it because "if it works, we don't touch it"...

When I have the steps that they use to generate the certificate, I post it here.
Thank you very much for the help
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: iManager 2.7.4 Third party certificate expired

On 12/31/2018 02:36 AM, InmaGP wrote:
>
> I can ask what are the steps that they follow and I post here, the
> communication is not very transparent...


Thankfully the steps to mint a certificate with openssl are as transparent
as can be on the Internet. Perhaps try to do so on your own system,
seeing if you can generate something that will import into eDirectory,
since 8.8 SP6 is very old, as is openssl 0.9.8h, so maybe those will work
together because of their similar timeframe.

> There is only one tree and in this case it is just a single server, no
> replicas.
>
> I can tell you version of:
> eDirectory: Novell eDirectory 8.8 SP6 v20605.01
> openssl: OpenSSL 0.9.8h 28 May 2008


Considering your inability to get information from the PKI side of things
("not very transparent"), I am guessing you mean the OpenSSL version on
the eDirectory box, but that does not matter. I am curious which version
of OpenSSL they are using. Maybe it is the same there, but if they are
dedicated to minting certificate it is very l likely they are keeping up
with OpenSSL versions.

> They haven't update it because "if it works, we don't touch it"...
>
> When I have the steps that they use to generate the certificate, I post
> it here.
> Thank you very much for the help


As mentioned above, you may want to try to do it on your own to see if,
from the eDirectory box itself, you can get a PKCS12/PFX file that will
work with eDirectory as a comparison. I suppose I could generate one too,
but then I'd need to get it to you, and it might just be easier for you to
do it there since it's basically one openssl command that Google will find
for you.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
InmaGP Absent Member.
Absent Member.

Re: iManager 2.7.4 Third party certificate expired

Hi again an happy new year!!

I have asked how the certificate is generated (.CSR) and they create it with openSSL.
Then they send it to the CA and then the CA forwards the CRT.
After this, they system team generate the .p12 with openSSL like this:

openssl x509 -inform der -in certificate.crt -out certificate.pem -outform pem
openssl pkcs12 -export -in certificate.pem -inkey certificate.key -out certificate.p12 -name "servidor_profile"
Enter Export Password: *****
Verifying - Enter Export Password: *****

This .p12 is the one that they pass to me to import into iManager
But nothing happens when i try to replace.

I try to follow the steps on this web page: https://support.microfocus.com/kb/doc.php?id=3305590
but in step 15 after disable "Identification" and go back to the certificate, the attributes that indicate don't appear.

NDSPKI:Certificate Chain
NDSPKI:Not After
NDSPKI:Not Before
NDSPKI:Public Key Certificate
ndspkiAdditional Roots
ndspkiAdditional Roots
NDSPKI:Key File

I do not know what else to do because I can't renew it...

When you say that I try to generate it, how do I do it if it is signed by an external CA?
0 Likes
InmaGP Absent Member.
Absent Member.

Re: iManager 2.7.4 Third party certificate expired

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: iManager 2.7.4 Third party certificate expired

On 01/15/2019 02:34 AM, InmaGP wrote:
>
> The solution I found in this forum link:
> https://forums.novell.com/showthread.php/496958-PKI-Error-1226-A-certificate-was-not-found-in-the-NDS-tree


Sounds good; thanks for sharing the results. In case that link ever
breaks, I understand that the solution there (thus here) was that the
certificate chain in the PFX/PKCX12 file was not complete, meaning it did
not have the complete list of certificate authorities (CA) used to sign
the public key.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
InmaGP Absent Member.
Absent Member.

Re: iManager 2.7.4 Third party certificate expired

Hi ab!

The solution has been to add the certification chains of the CA (root and intermediate) and the .CER of the certificate that they passed me in a single file .CER.
Then I had to convert it to .PFX and I was able to successfully import it into iManager.
Thanks for all!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.