Jun 28, 2010

CA Renewal and Distribution

so your tree has been up for coming up on 10yrs...ever redo the CA? then it's time.

In Novell land, the CA is the certificate authority, the place from which all certs come from. There are plenty of TID's at Novell about changing out your CA for a new one, but not much on what to do afterwards. We hit a few snags when we redid ours, but the basic procedure goes something like this....(we got this from Novell)

Export the existing CA (you might need it if things go bad)
Delete the existing CA
Create a new CA, either choose maximum or 10yrs (that way you don't have to do this again for awhile)
Export that to a new cert and save it as rootcert.der

Go to your eDIr Master (if you have more than one, then the one with the most MASTER replicas on it.) and do the following:

  1. copy rootcert.der to sys:\public(rename the existing one first)
  2. ap2webdn
  3. tc4(5)stop (depending on which one you are running)
  4. tckeygen
  5. java -exit
  6. ap2webup
  7. tomcat4(5)(depending on which one you are running)
  8. unload nldap
  9. pkidiag
  10. options 4,5 and then 0
  11. nldap 
  12. reboot

at every step check the logger screen for errors........
 

No comments:

Post a Comment