6.5 Implementing Digital Certificates in an OES Environment

In an OES environment, you can make all communications secure by implementing a verified secure digital certificate. These certificates should be issued and signed by a Certificate Authority (CA). The CA can be a trusted third-party vendor or your own organizational CA.

This section describes the procedures to implement digital certificates in an OES environment.

6.5.1 Configuring the Digital Certificate

In an eDirectory environment, create a subordinate certificate authority that allows the organization CA to be subordinate to a trusted third-party CA or a CA in another eDirectory tree. For more information on why you should create a subordinate certificate authority, see Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.

To configure the digital certificate:

  1. Create the Certificate Signing Request (CSR) file from your OES environment. For detailed instructions, see Step 1 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.

  2. Get the CSR signed by a trusted third-party CA or another eDirectory tree. For detailed instructions, see Step 2 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.

  3. Acquire the signed CA certificate from the third-party CA or another eDirectory tree. For detailed instructions, see Step 3 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.

  4. Import the signed CA certificates into your OES environment. For detailed instructions, see Step 4 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.

  5. Export the public or private keys to a PKCS#12 file in your OES environment. For detailed instructions, see Step 5 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.

    NOTE:If you already have a certificate signed by a third-party CA, skip Step 2 and Step 3.

    For more information on creating and importing certificates using third-party vendors such as VeriSign or RapidSSL, see the TID on How to import a Production VeriSign External Certificate into eDirectory using iManager (3033173).

6.5.2 Reconfiguring Services after Importing the Certificate

The following services must reconfigured so that these services use the latest verified certificate: LDAP, Apache, and LUM.

Reconfiguring LDAP

To point the LDAP server object to the verified certificate:

  1. Log in to iManager with administrative privileges.

  2. Click the LDAP > LDAP Options > View LDAP Groups tab and the LDAP group, then select the Require TLS for Simple Binds with Password check box.

  3. Click Apply and OK.

  4. Click the LDAP Options > View LDAP Servers tab, then click the LDAP server > Connections. In the Server Certificate text box, search for and select the certificate that you created.

  5. Click Apply and OK.

  6. Repeat Step 4 and Step 5 for all the LDAP servers in the LDAP group.

Reconfiguring Apache

Reconfiguring LUM

For LUM to use the latest signed certificate:

  1. Rename the .der certificate that you generated in Step 3 in Section 6.5.1, Configuring the Digital Certificate to .<your OES IP address>.der format and copy it to /var/lib/novell-lum.

    For example, to rename SourceCert.der, execute cp /root/certs/SourceCert.der /var/lib/novell-lum/.198.162.1.1.der.

  2. Refresh the nam settings using the namconfig cache_refresh command.

    To view the certificate details, execute the openssl x509 -in /var/lib/novell-lum/.198.162.1.1.der -noout -inform der -text command.