Tool

Certificate Re-creation Script for OES1 and OES2

Author Info

26 September 2008 - 8:36am
Submitted by: jmeldrum

Author Blog
Author Profile

Tags

Tags Map
tool
Reads:

8183

Score:
4
4
4
 
Comments:

10

license: 
GPLv2

The Certificate Creation script recreates the certificates on OES1 and OES2 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:

32 and 64 bit OES1 and OES2 are currently supported.

Script Process:

  1. The following files are backed up with the date and time appended.
    /etc/ssl/servercerts/servercert.pem
/etc/ssl/servercerts/serverkey.pem
/var/lib/novell-lum/x.x.x.x.der
/etc/opt/novell/SSCert.pem //OES1
/etc/opt/novell/certs/SSCert.pem //OES2
  2. Creation of new Certificates
    /etc/ssl/servercerts/serverkey.pem
/etc/ssl/servercerts/servercert.pem
/etc/opt/novell/SSCert.pem //OES1
/etc/opt/novell/SSCert.der //OES1
/etc/opt/novell/certs/SSCert.pem //OES2
/etc/opt/novell/certs/SSCert.der //OES2
/var/lib/novell-lum/x.x.x.x.der
  3. Reloads services (optional)
    owcimond
nldap
namcd
apache2

Installation Instructions:

  1. Download certificate-creation.tgz
  2. Open a Terminal window and type “su”
  3. Enter root’s password
  4. Extract the script from the tarball
    #tar –xzvf certificate-creation.tgz
  5. Make the script executable.
    #chmod 755 certificate-creation.sh
  6. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to Directory Administration -> Modify Object
    2. Select the SSL CertificateDNS - YourServerName certificate object, which by default is in the same eDirectory context as your server object and click OK
    3. Go to the Certificates tab of the certificate object and click Validate. It should come back as Valid. If not, there is something wrong with your Certificate Authority and you should rectify this problem and regenerate the certificates before continuing.
    4. Select Export.
    5. Select "Export private key" and "Include all certificates in the certification path if available."
    6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
  7. Run the certificate-creation.sh script
    #./certificate-creation.sh -f /directory/fileName.pfx -c -r

Fixes and Enhancements:

    Version 1.1

  1. The script will now check if your are root
  2. OES2 x86_64 is now supported
  3. A relative path to the .pfx file can now be used.
Note: Using a –h will display other parameter options if desired. The most recent version (1.1) no longer requires the full path to the ".pfx file
AttachmentSize
certificate-creation-1.1.tgz2.79 KB

Author Info

26 September 2008 - 8:36am
Submitted by: jmeldrum

Author Blog
Author Profile

Tags

Tags Map


Related Articles


User Comments

Fantastic

Submitted by peterhine on 26 January 2009 - 8:52pm.

Thanks VM.

Now if only there was a way to get the .pfx out of eDir using ldap or some other command line tool. then we wouldn't need iManager. We'd need the eDir credentials and a temporary password could be autogenerated to protect the pfx, and when finished, the pfx could be deleted. Could make it safer all round. !!!

Challenge anyone ?

P

Command Line Tool

Submitted by jmeldrum on 23 March 2009 - 7:34am.

If I knew of a way to do this, I would be happy to script it. Currently, I am not aware of a way.

Very helpful script

Submitted by woodsy_ca on 19 March 2009 - 7:12am.

Ran into problems when migrating to a virtual system. This script was very helpful in restoring all the certificates. However, I ran into two problems:

1. Although there appeared to be certificates for the server in eDirectory, editing the certificates in iManager drew a blank. I had to use TID 7001013 to re-create the certificates for the server in eDirectory.
http://www.novell.com/support/dynamickc.do?cmd=sho...

2. The script does not update the certificate store for Tomcat (/etc/opt/novell/tomcat4/cacerts. Had to import these manually using TID 3734475 as a guide.
http://www.novell.com/support/dynamickc.do?cmd=sho...

These are not complaints; just additional info if someone runs into the same issues.

Thanks putting this together.

Very Helpful Script Reply

Submitted by jmeldrum on 23 March 2009 - 7:32am.

Thank you for the new information. I will look at possible ways of trying to script those suggestions into a newer version.

Isn't iManager capable of handling this now?

Submitted by martinst on 30 March 2009 - 3:56am.

Hi, is this procedure still needed, or should I just use iManager - Novell Certificate Server - Create/Repair Default Certificates and then restart the ndsd | use the "namconfig -k" to use the new certificates?

iManager works

Submitted by joshw on 2 April 2009 - 8:01am.

I can verify this - using iManager from another server I ran the "Create Default Certificates" task and marked the option to replace the existing certificates (mine were expired). I then ran "namconfig -k", rebooted the server, and everything was working fine again. For reference, I was running iManager from a NW6.5 server, and the server I replaced the certificates on was OES1/SLES9.

adding in httpstkd

Submitted by peterhine on 28 May 2009 - 9:42pm.

I added :


cp /etc/ssl/servercerts/servercert.pem /etc/opt/novell/httpstkd/server.pem
cp /etc/ssl/servercerts/serverkey.pem /etc/opt/novell/httpstkd/server.key
rcnovell-httpstkd restart

just to take it a step further

P

Recreated /etc/ssl/servercerts/servercert.pem

Submitted by gyvnn on 24 July 2009 - 1:56am.

Original servercert.pem:
-----BEGIN CERTIFICATE-----
Bla-bla-bla...
-----END CERTIFICATE-----
-----BEGIN TRUSTED CERTIFICATE-----
Bla-bla-bla...
-----END TRUSTED CERTIFICATE-----

Recreated servercert.pem:
-----BEGIN CERTIFICATE-----
Bla-bla-bla...
-----END CERTIFICATE-----

Execute:
openssl verify servercert.pem
...
error 20 at 0 depth lookup:unable to get local issuer certificate

Hostname/IP Address Change?

Submitted by MHGlenn on 7 August 2009 - 11:42am.

Interesting; I wonder if this could be used to get everything back up to snuff after changing the hostname and/or IP address of a server?

Well, off to the lab....

Vpn

Submitted by 1ana on 10 August 2009 - 4:48am.

You could use VPN for that.

© 2009 Novell, Inc. All Rights Reserved.