SSL certificates reside in multiple locations on the OES Linux servers. If the certificates must be replaced due to expiration or other issues this means that copies must be placed into multiple directories and daemons restarted, etc. There is an excellent Cool Solutions script "Certificate Re-creation Script for OES1, OES2 and OES 11" that helps automate much of this process. I believe that this is something that should be a native part of OES.
I believe that the following would help every System Administrator from the novice to the experienced more easily utilize Novell OES in their environments.
1.) Modify OES services to utilize a single storage location for all certificates.
2.) Create a process by which when certificates expire they are automatically replaced with new ones from the TREE's CA working.
3.) Allow Administrators to set the length of time that the certificates expire higher than 2 years.
4.) On the CA, make the default CRL distribution points work correctly by default. The LDAP ones rely on port 389 being open which I am certain many do not. So test and don't create unless LDAP(389) is open. The HTTP(80) ones point to a location that doesn't exist by default. Requiring the System Administrator to create a script to copy the CRL file to a web accessible location
I don't see anyone listing this as a request but there are some comments on the Cool Solutions article asking for some of these items. While many of this are becoming adept at the management of certificates on OES, there seems to be little reason to not automate this process so that we don't need to handle it manually.
This would leave us to take care of other more weighty issues unless there is a need to troubleshoot certificates. Much like how Netware had handled certificates for many years.
I don't see a good category as it affects multiple systems but I'll select one.
by: Nyle L. | over a year ago | eDirectory
Comments
Right now certificate replacement is done by a "Cool Solutions" script. There should be an automatic facility to do this built into the system (and supported). And yes, it should use the eDirectory Certificate Server as it is much more robust than openssl. Bonus points for adding functionality to the eDirectory Certificate Server to do things like automatically mint radius workstations certificates etc.
I agree, they need to simplify operating OES, and certificates are a major pain point.
You can use the eDirectory Certificate Server self-provisioning. Thats easy and works like a charm
https://www.novell.com/support/kb/doc.php?id=7017359
We have had Certificate self-provisioning on for a long time on the CA but that doesn't take care of the myriad of other services(daemons) that rely on the certificates. I appreciate the link but it didn't change my configuration. I have still needed to use the Cool Solutions script to correct certificate issues on my OES servers.
NetIQ needs to pay attention to this. If a community member can help automate the process with a script, it seems that NetIQ should be able to do a lot to improve the process and automate it like Netware used to do.