Certain circumstances call for a server certificate (Key Material Object or KMO) to be signed by a Certificate Authority in another EDirectory tree.

For example, if there are two (or more) Edirectory trees in the same organization and the desire is to have all certificates signed by the same Certificate Authority so applications only need to have one CA as trusted in their keystore.

For our example, we will say we have a IDV tree and an AUTH tree. We want the IDV tree CA to sign all certs in the AUTH tree. This example uses iManager 2.6.

To do this we need to have iManager sessions open to both trees, IDV and AUTH. The process is:

  1. In the AUTH tree iManager select "Novell Certificate Server"->"Create Server Certificate"
  2. Select the server and provide a meaningful "Nick Name" for the Certificate.
  3. Check the "Custom" Box; Then NEXT
  4. Select "External certificate authority"; Then NEXT
  5. On the next page, keep the defaults or adjust as desired; then NEXT.
  6. On the next page, keep the defaults or adjust as desired; then NEXT.
  7. On the next page, Review and then FINISH.
  8. On the next page, Click the "Save Certificate Signing Request"; then CLOSE.

Move to the IDV TREE iManager.

  1. In the IDV tree iManager select "Novell Certificate Server"->"Issue Certificate"
  2. Select the CSR file saved from above; then NEXT.
  3. On the next page, keep the defaults or adjust as desired; then NEXT.
  4. On the next page, keep the defaults or adjust as desired; then NEXT.
  5. On the next page, keep the defaults or adjust as desired; then NEXT.
  6. Select the Format to Save the Signed Certificate; then NEXT.
  7. Download the issued certificate.
  8. Save a export the CA Certificate to a file.

Go back to AUTH tree iManager.

  1. Select "Directory Administration"->"Modify Object" and select the KMO named "Nick Name" done in the first steps.
  2. Select the "Certificate" Tab at the top.
  3. Select the "Import" button.
  4. Browse to the "Signed Certificate" created above.
  5. Select the "Signed Certificate" and the "CA Certificate"
  6. The certificate is now ready to use.

NOTE: We have seen trouble with these screens refreshing properly in iManager.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 22-Jan-2016 17:50 by jim