15.4 Usage of Commands

15.4.1 Listing of Certificates Used by OES Services

View certificate details of all the services configured on the OES server where the certificate script is executed.

The output of the --list command is recorded in the json files – Based on services (certlist-service.json) and certificates (certlist-cert.json). These files capture all the certificate attributes such as certificate path on the OES server, and details of the certificate like subject, issuer, expiry date and whether the certificate is self-signed or CA Signed. For every certificate, details of the services are also listed. The file captures same data in different format in both the files.

Before replacing the json files with the output of --list command, it is backed up and available at the /var/opt/novell/oes-cert-mgmt/ location.

Service-specific Format

On OES terminal, execute /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-list --list service. The output of this command is written to the /var/opt/novell/oes-cert-mgmt/certlist-service.json file.

Figure 15-1 Certilist-service.json file

Certificate-specific Format

On OES terminal, execute /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-list --list certificate. The output of this command is written to the /var/opt/novell/oes-cert-mgmt/certlist-cert.json file.

Figure 15-2 Certilist-cert.json file

15.4.2 Configuration file

Figure 15-3 oes-cert-mgmt.conf file

Configuring Alerts For Certificate Expiry

The administrator receives an alert about the expiry of the certificates every Friday through an email 90 days in advance. The system date is considered for identifying expiry status of the certificates. Details of expired certificates or certificates getting expired within 90 days are available in json format.

To receive an alert, do the following:

  1. On the OES terminal, modify the /etc/opt/novell/oes-cert-mgmt/oes-cert-mgmt.conf file.

    1. Modify the following attributes:

      mail-alert=Yes
mail-alert-to-address=claire@gmail.com,albert@gmail.com
mail-alert-from-address=claire@gmail.com

      It is recommended to mention your email address in the “mail-alert-from-address” attribute too, else specifying server name might be treated as spam by the mailbox.

      Multiple email addresses can be specified in the mail-alert-to-address attribute.

  2. An email is sent to the address specified in the "mail-alert-to-address" attribute and, by default, to the system’s root user. The email is sent only when one or more certificates are expiring within 90 days. The details are specified in the certificate.json file.

    Email Frequency: An alert email is sent every Friday at midnight to the root user and the specified email address.

Configuring Error Logging

To configure the error logging setting for the certificate messages, use the log-level parameter in the /etc/opt/novell/oes-cert-mgmt/oes-cert-mgmt.conf configuration file.

The severity levels available are ERROR, INFORMATION and DEBUG.

To set the severity level, set the following:

log-level=severity_level (DEBUG,INFO OR ERROR)

For example,

log-level=DEBUG

15.4.3 Reconfiguring Certificates

An admin can reconfigure OES services to use new certificates using the command /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-reconfig. The existing certificates are backed up with .cert-mgmt.bak extension before replacement.

Listed below are the options supported for reconfiguration:

  • certchange: Replace an existing certificate with a new one and reconfigure all the services to use the new certificate.

  • reconfig: Reconfigures selected services to use a new certificate.

  • edircertchange: When the eDirectory server certificate is changed, all the services are configured to use the new certificate.

  • movetoedircert: Used for reconfiguring services that use self-signed or third-party CA-signed certificates to use the eDirectory server certificate.

Figure 15-4 Certificate Management Command Line Help