Scribd Logo
Upload

Welcome to Scribd!

  • Support - How To Recreate SMT 11 CA and Server Certificate

    Uploaded by

    sagar.srivastava
    39 views2 pages
    suse

    Original Title

    Support _ How to Recreate SMT 11 CA and Server Certificate

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    suse

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    39 views2 pages

    Support - How To Recreate SMT 11 CA and Server Certificate

    Uploaded by

    sagar.srivastava
    suse

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    1/24/2015

    Support|HowtorecreateSMT11CAandservercertificate

    Knowledgebase

    FAQ

    RegisterYourProduct

    SupportHandbook

    HowtorecreateSMT11CAandserver
    certificate

    MyFavorites

    DocumentID:

    7006024
    CreationDate:

    Thisdocument(7006024)isprovidedsubjecttothedisclaimerattheendofthisdocument.

    18MAY10
    ModifiedDate:

    Environment
    SUSELinuxEnterpriseSubscriptionManagementtool
    for
    SUSELinuxEnterpriseServer12
    SUSELinuxEnterpriseServer11
    SUSELinuxEnterpriseServer10

    22JAN15
    SUSE

    Subscription
    ManagementTool
    SUSELinux
    EnterpriseServer

    Situation
    ItisusuallyunnecessarytorecreatetheCAandservercertificate.IfyouthinkyourCAorservercertificatearenot
    functioningasexpected,youmayneedtorecreatethem.ThisTIDexplainshow.

    Resolution
    DeletetheoldCA
    1. SinceYaSTdoesnotallowtodeletetheexistingCAaslongithasnotexpired,wehavetodeletetherelatedfiles
    manually.
    2. Openupashellandchangetothe/var/lib/CAMandmovethedirectoryoftheexistingCAto/tmp/,e.g.byexecuting
    "mvYaST_Default_CA/tmp/".Attention:Donotmoveordeletethe".cas"directory.
    CreaterootCA
    1. Fromtherootshellstart'yast2ca_mgm'.
    2. Select'CreateRootCA'.
    3. For"CAName"and"CommonName"enter"YaST_Default_CA".Pleasenotenottousetheservernameorserver
    FQDNinhere,sincethiswouldcomplicatelatererroranalysis!
    4. Entertheemailaddressoftheissuer(andselect"add")andenteroptionalinformationsuchasorganization,unit,
    locality,stateandcountry.
    5. Select"Next".
    6. Choosethepassword,lengthofthekeyanditsvalidity.
    7. Select"Next"toseeanoverviewabouttheCA.
    8. Select"Create"tocreatetheCA.
    Createservercertificate
    1. SelectthenewlycreatedCAintheYaST2CAmanagementmodule.
    2. Press"EnterCA".
    3. EntertheCApassword.
    4. SelecttheCertificatestab.
    5. Clickon"Add"andchooseServerCertificate.
    6. Providetherequesteddata:
    7. ForCommonNameputinthefullyqualifieddomainnameoftheserver(FQDN)oftheserver,forexample"smt
    server.example.net".Thisismandatory!
    8. Addanvalidemailaddressoftheserveradministratorandpress"Add".
    9. Press"Next".
    10. HereitispossibletoeitherusetheCApasswordfortheservercertificateoradifferentone.Alsokeylengthand
    validitymaybechanged.
    11. AddDNShostnameandIPaddresstoSubjectAlternativeName.AddingtheIPisoptional,buttheDNShostname
    mustbeadded,elsethecertificatewillnotacceptedonallimplementations.AddingtheIPaddresshasthe
    advantagethatclientsalsocoulduseIPtoconnecttoSMTserver,butasIPmightchange,DNShostnameshould
    bepreferred.AddadditionalDNShostnamesandIPaddressesoftheSMTserverifneeded.
    Select'AdvancedOptions'.
    Select'SubjectAltName'(nottobeconfusedwithIssuerAltName!!).
    Select'Add'.
    Choose'DNS'andputintthehostname(CN)oftheserver
    Choose'IP'andputintheIPaddressoftheserver.
    12. Select'Next'togettoanoverviewoverthecertificate.

    https://www.novell.com/support/kb/doc.php?id=7006024

    1/2

    1/24/2015

    Support|HowtorecreateSMT11CAandservercertificate

    13. Select'Create'tocreatetheservercertificate.
    Exportthecertificateascommonservercertificate,sothatthehttpserverapacheusesit
    1. Onthecertificatestablocatethe"Export"button.
    2. Select"Exportascommonservercertificate".
    3. Enterthepasswordthatwaschosenfortheservercertificate.
    4. Amessage"Certificatehasbeenwrittenascommonservercertificate"willbedisplayed.
    ExporttheCAcertificatetothesmt.crtfile
    1. IntheYaST2CAmanagementmodulechangetothe"Description"tabandselect"Advanced/ExporttoFile".
    2. Select"OnlytheCertificateinPEMFormat"andenter"/srv/www/htdocs/smt.crt"asthefilename.
    3. Select"Ok"toexportthefile.
    4. LeaveYaST.
    RestartSMT
    1. Restartthesmtserverbyentering"rcsmtrestart"intotherootshell.Thiswillalsorestartthehttpserverapache,so
    thatapacheusesthenewcertificate.
    ImportthenewlycreatedCAtotheSMTclients
    1. Execute"clientSetup4SMT.shhostsmtserver.example.net"(adjusttheFQDNtoyourSMTserver)toimportthe
    newCAtotheSMTclientsandtomaketheclientstotrustthenewCA.OnSLE11clientsyoucanalternativelyuse
    the"yast2inst_suse_register"module(select"Advanced"andfollowtheinstructions).
    2. Execute"suse_registerL/root/.suse_register.log"toregistertheclientagainsttheSMTserver.

    AdditionalInformation
    Pleasenote:iftheservercertificateoftheSMTsystemhasexpired(bydefaultthishappensafteroneyear),youdon't
    needtorecreatetheCA.Justcreateanewservercertificate,exportitascommonservercertificateandrestartthesmt
    serviceasdescribedabove.Thereisnoneedtomakeanychangestotheclientseitherastheywillautomaticallyaccept
    thenewservercertificatebecausetheyalreadytrusttheRootCA.
    PleasefindmoredocumentationonCertificatesintheSMT11documentationat
    http://www.novell.com/documentation/smt11/.Inhereseechapter7.3,ServerCertificates.

    Disclaimer
    ThisSupportKnowledgebaseprovidesavaluabletoolforNetIQ/Novell/SUSEcustomersandpartiesinterestedinour
    productsandsolutionstoacquireinformation,ideasandlearnfromoneanother.Materialsareprovidedfor
    informational,personalornoncommercialusewithinyourorganizationandarepresented"ASIS"WITHOUT
    WARRANTYOFANYKIND.

    https://www.novell.com/support/kb/doc.php?id=7006024

    2/2

    You might also like