Obtaining Externally Signed Certificates

The following sections explain how to create certificate signing requests for Identity Server and Access Gateway, how to use the requests to obtain signed certificates, then how to import the signed certificates and the root certificate of the Certificate Authority into Access Manager.

Creating the Certificate Signing Request

You need to create two certificate signing requests: one for Identity Server and one for Access Gateway. The Certificate name and the Common name need to be different, but the other values can be the same.

What you need to know or create

Example

Your Value

Certificate name

ipda_test or lag_test

________________________ ________________________

Certificate Subject Fields:

 

 

 

Common name

ipda.test.novell.com or lag.test.novell.com

________________________ ________________________

 

Organizational unit

novell

________________________

 

Organization

test

_______________________

 

City or town

Provo

________________________

 

State or province

UTAH

_______________________

 

Country

US

 

To create a signing request for Identity Server:

  1. Click Security > Certificates > New.

  2. Select the Use External certificate authority option.

  3. Specify the following details:

    Certificate name: idpa_test

    Signature algorithm: Accept the default.

    Valid from: Accept the default.

    Months valid: Accept the default.

    Key size: Accept the default.

  4. Click the Edit icon on the Subject line.

  5. Specify the following details:

    Common name: idpa.test.novell.com

    Organizational unit: novell

    Organization: test

    City or town: Provo

    State or province: UTAH

    Country: US

  6. Click OK twice, then click the name of the certificate.

  7. Click Export CSR.

    The signing request is saved to a file.

  8. Repeat Step 1 through Step 7 to create a signing request for Access Gateway.

Getting a Signed Certificate

Send the certificate signing request to a certificate authority and wait for the CA to return a signed certificate or you can use a trial certificate for testing while you wait for the official certificate. Companies such as VeriSign offer trial signed certificates for testing.

Modify the following instructions for the CA you have selected to sign your certificates:

  1. Set up an account with a certificate authority and select the free trial option.

  2. Open your certificate signing request for Identity Server in a text editor.

  3. Copy and paste the text of the certificate request into the appropriate box for a trial certificate.

  4. If CA requires that you select a server platform, select eDirectory if available. If eDirectory is not a choice, select unknown or server not listed.

  5. Click Next, then copy the signed certificate and paste it into a new text file or at the bottom of the signing request file.

  6. Click Back, and repeat Step 2 through Step 5 for Access Gateway.

  7. Follow the instructions of the vendor to download the root certificate of the Certificate Authority and any intermediate CA certificates.

Importing the Signed Certificates and Root Certificate

The following steps explain how to imported the signed certificates and the trust root into Administration Console so that they are available to be assigned to key stores and trusted root stores.

  1. Click Security > Trusted Roots.

  2. Click Import, then specify a name for the root certificate.

  3. Either click Browse and locate the root certificate file or select Certificate data text and paste the certificate in the text box.

  4. Click OK.

    The trusted root is added and is now available to add to trusted root stores.

  5. (Conditional) Repeat Step 2 through Step 4 for any intermediate CA certificates.

  6. In a text editor, open the signed certificate for Identity Server.

  7. Click Security > Certificates, then click the name of certificate signing request for Identity Server.

  8. Click Import Signed Certificate, then select Certificate data text (PEM/Based64).

  9. Paste the text for the signed certificate into the data text box. Copy everything from

    -----BEGIN CERTIFICATE-----

    through

    -----END CERTIFICATE-----

  10. Click Add trusted root, then either click Browse and locate the root certificate file or select Certificate data text and paste the certificate in the text box.

  11. (Conditional) For any intermediate CA certificates, click Add intermediate certificate, then either click Browse and locate the intermediate certificate file or select Certificate data text and paste the certificate in the text box.

  12. Click OK.

    The certificate is now available to be assigned to the keystore of a device.

  13. Repeat Step 6 through Step 12 for Access Gateway certificate.

NOTE:If the certificate fails to import and you receive an error, it is probably missing a trusted root certificate in a chain of trusted roots. To determine whether this is the problem, see Resolving a -1226 PKI Error and Importing an External Certificate Key Pair.