The path and certificate names specified are for example purpose and might not be the actual names or path of the certificates.
For creation of new certificates, refer to individual service-specific guides at OES 24.4 website.
Section 15.5.1, Example - Replacing Expired or Corrupted Certificate
Section 15.5.2, Example - Replacing Expired or Corrupted Certificate of CIS Server
Section 15.5.3, Example - Reconfiguring Services to Use 3rd party CA Signed Certificate
Section 15.5.4, Example - Replacing Expired or Corrupted eDirectory Server Certificate
A CA-signed certificate has expired or become corrupted and requires replacement with a new certificate.
The expired certificate is located in /etc/ssl/servercerts/, which contains both the .pem files for the server certificate and the private key. The root user copies the new certificate to a temporary location, /etc/opt/novell/oescerts, which includes both the .pem files for the new server certificate and its private key. The CA certificate is located in /etc/ssl/certs/ and includes the .pem file.
To reconfigure all the services with a new certificate and then restart the services, do the following:
On the OES terminal, execute the command /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-reconfig --operation certchange --currentcert /etc/ssl/servercerts/oescert.pem --currentcertkey /etc/ssl/servercerts/oescertserverkey.pem --newcert /etc/opt/novell/oescerts/oesnewservercert.pem --newprivatekey /etc/opt/novell/oescerts/oesnewcertkey.pem --newcacert /etc/ssl/certs/CACert.pem --restart yes
When you execute this command, all the OES services on this server are automatically restarted and start using the new certificate.
By default, the option --restart no is set. A service restart is required to apply the new certificate.
For details, refer to the /var/opt/novell/log/oes-cert-mgmt/oes-cert-mgmt.log file.
The /etc/ssl/servercerts/oescert.pem and /etc/ssl/servercerts/oescertkey.pem content is replaced with oesnewservercert.pem and oesnewcertkey.pem. The certificates that are getting replaced are backed up in the same location with .cert-mgmt.bak extension.
An eDirectory certificate or Cluster Resource certificate has expired or become corrupted and requires replacement with a new certificate on a CIS server.
The eDirectory certificate is expired or corrupted. To reconfigure CIS service with a new eDirectory server certificate, do the following:
Delete existing eDirectory server certificate files from /etc/ssl/servercerts location.
Regenerate a new eDirectory server certificate and copy it to the /etc/ssl/servercerts location.
Restart the eDirectory service so the new certificate is applied.
On the OES terminal, execute the command /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-reconfig --operation edircertchange –-restart yes
When you execute this command, the CIS service and any other services on this server are automatically restarted to use the new eDirectory server certificates from /etc/ssl/servercerts location.
By default, the option --restart no is set. CIS service restart is required to apply the new certificate.
For details, refer to the /var/opt/novell/log/oes-cert-mgmt/oes-cert-mgmt.log file.
The certificate is located in /etc/opt/novell/cis/certs/, which contains the .pem files for the server. Copy the regenerated certificate to a temporary location, /etc/opt/novell/cis/temporary, which includes both the .pem files for the new server certificate and its private key. The root certificate is located in /etc/opt/novell/certs/ and includes the SSCert.pem file.
To reconfigure CIS Cluster Resource certificate with a new certificate, do the following:
Regenerate a new server certificate and copy to the /etc/opt/novell/cis/temporary/ location. For more information, see Creating Certificates in the Cloud Integrated Storage Administration Guide.
On the OES terminal, execute the command /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-reconfig --operation certchange --currentcert /etc/opt/novell/cis/certs/servercert.pem --currentcertkey /etc/opt/novell/cis/certs/serverkey.pem --newcert /etc/opt/novell/cis/temporary/servercert.pem --newprivatekey /etc/opt/novell/cis/temporary/serverkey.pem --newcacert /etc/opt/novell/certs/SSCert.pem --restart yes
When you execute this command, the CIS service on this server is automatically restarted to begin using the new certificate.
By default, the option --restart no is set. CIS service restart is required to apply the new certificate.
For details, refer to the /var/opt/novell/log/oes-cert-mgmt/oes-cert-mgmt.log file.
The existing certificates are backed up with .cert-mgmt.bak extension before getting replaced with a new certificate.
The OES services are using eDirectory certificate. The organization policy has changed and a few of the services (SFCB and Apache) need to consume the new certificates provided by the third-party CA.
The supported list of services that can be reconfigured to use the new certificate are available with the command line parameter --listofservices.
The location of the new certificate is /etc/opt/novell/certs that includes both the .pem files for server and key. The location of the CA certificate /etc/ssl/certs/ that includes the .pem file.
To forcibly make the existing services to use a new certificate, do the following:
On the OES terminal, execute the command /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-reconfig --operation reconfig --newcert /etc/opt/novell/certs/oesservercert.pem --newprivatekey /etc/opt/novell/certs/oesserverkey.pem --newcacert /etc/ssl/certs/CompanyCACert.pem --listofservices sfcb,apache --restart yes
When you execute this command, SFCB and Apache services are automatically restarted to begin using the new certificate signed by the third-party CA.
By default, the option --restart no is set. A service restart is required to apply the new certificate.
For details, refer to the /var/opt/novell/log/oes-cert-mgmt/oes-cert-mgmt.log file.
The service is using default eDirectory certificate and it is expired or corrupted. To reconfigure all the services using eDirectory certificate with a new eDirectory server certificate, do the following:
Delete existing eDirectory server certificate files from /etc/ssl/servercerts location.
Admin regenerates a new eDirectory server certificate and copies it to the /etc/ssl/servercerts location.
Restart the eDirectory service so the new certificate is applied.
On the OES terminal, execute the command /opt/novell/oes-cert-mgmt/bin/ oes-cert-mgmt-reconfig --operation edircertchange –-restart yes
When you execute this command, all the OES services on this server are automatically restarted to begin using the new eDirectory server certificates from /etc/ssl/servercerts location.
By default, the option --restart no is set. A service restart is required to apply the new certificate.
For details, refer to the /var/opt/novell/log/oes-cert-mgmt/oes-cert-mgmt.log file.
On upgrading services from OES 2023 to OES 23.4 or later server, it is recommended for services to use eDirectory server certificate or any CA signed certificate instead of self-signed certificate.
On OES 2023 server, SFCB and Postgres services are using self-signed certificate. Perform the following steps, so the services can use eDirectory server certificate.
Upgrade OES 2023 server to OES 23.4 or later server.
Verify the services that use self-signed certificate.
On the OES terminal, execute the /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-list --list certificate
In the /var/opt/novell/oes-cert-mgmt/certlist-cert.json file, the "certType":"self-signed" for SFCB and Postgres.
Modify the certificates to use eDirectory server certificate.
On the OES terminal, execute the command /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-reconfig --operation movetoedircert --listofservices sfcb,Postgres --restart yes
Success message is displayed for restarting the SFCB and Postgres services. Also, a message stating that selected services are moved to eDirectory server certificate is displayed.
By default, the option --restart no is set. A service restart is required to apply the new certificate.
Verify SFCB and Postgres are using eDirectory server certificate.
On the OES terminal, execute the /opt/novell/oes-cert-mgmt/bin/oes-cert-mgmt-list --list certificate
In the /var/opt/novell/oes-cert-mgmt/certlist-cert.json file, the "certType":"CA-signed" for SFCB and Postgres.