Some third-party CAs like Verisign use an intermediate CA to sign server certificates. In order to import these certificates into a Server Certificate object, the server certificate as well as the Intermediate CA and the trusted root certificate must be in a single PKCS #7 formatted file (.P7B) If your CA cannot provide you with such a file, you can create one yourself by following these steps on a client machine with Internet Explorer 5.5 or later installed.
Import the server certificate into Internet Explorer. You can do this by double-clicking on the file or by selecting File > Open and selecting the filename.
If the external CA's certificate is not already listed as a trusted CA in Internet Explorer, import the Intermediate CAs as well as the root level CA in the same manner.
In Internet Explorer, select Tools > Internet Options. Select the Content tab, then select the Certificates button.
On the Personal tab, find the server certificate. Select it and click Export.
Accept the defaults in the wizard until you get to the Export File Format page, then select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.p7b) format.
Continue with the wizard.
The PKCS #7 file can now be imported into the Server Certificate object.
If a Server object is moved, the LDAP objects, SAS service object, and Server Certificate objects (Key Material Objects) for that server must also be moved.
If NetWare 5 Support Pack 3 or later is installed and DNS is configured for the server, the default subject name for a server certificate will be
.CN=<Server's DNS Name>.O=<Tree Name>
Otherwise, the default subject name will be the fully distinguished name of the server. You can modify the default subject name by selecting Custom during the certificate creation process.
NOTE: DNS was not available prior to NetWare 5 Support Pack 3.
If you delete the SAS service object, any server certificates previously created for that server cannot be used by applications on the server. If these certificates are still needed, you can restore the SAS object from backup. If that is not possible, contact Novell Support for assistance.
There are several Certificate Server issues you need to consider when you remove a server from an eDirectory tree. Go to the Novell Support Web site and search for TID #10056795, Certificate Server Issues - Removing a Server.
Some external Certificate Authorities provide certificates that enable 40- or 56-bit Web browser clients to use 128-bit cryptography when communicating with a server configured with their certificates.
These certificates are sometimes referred to as global certificates or server-gated cryptography certificates. The capability can be referred to as step-up cryptography.
These certificates can be used successfully for LDAP and Web Server connections only if the Web browser has 128-bit cryptography. Web browsers with 40- or 56-bit cryptography will experience unrecoverable SSL errors when communicating with servers configured with these certificates.
If Web browsers with 40- or 56-bit cryptography must communicate with your server, you must request a different type of certificate from your external CA.
Server certificates with an @ character in their subject names might cause SSL connections to fail. Contact Novell Support for a resolution of the problem.