Multiple Trees Sharing A Common Root; Setting Up Certificate Management; Setting Up Automatic Certificate Maintenance; Eliminating Browser Certificate Errors - Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual

22.1.3 Multiple Trees Sharing a Common Root

The Organizational CA can be configured to act as a sub-CA. This lets multiple trees share a
common root certificate. The root certificate can be stored in a physically protected tree. It can also
integrate with a third-party PKI. For more information, see
the Novell Certificate Server 3.3.4 Administration

22.2 Setting Up Certificate Management

Use the information in the following sections to help you set up certificate management as you
install OES 2.

Section 22.2.1, "Setting Up Automatic Certificate Maintenance," on page 230

Section 22.2.2, "Eliminating Browser Certificate Errors," on page 230

22.2.1 Setting Up Automatic Certificate Maintenance

To set up your server so that HTTPS services use eDirectory certificates, you must specify the Use
eDirectory Certificates for HTTP Services option while installing or upgrading eDirectory.
This installs eDirectory keys and certificates on the server, but it does not configure the server to
automatically replace the certificates when they expire. Automatic maintenance requires that Server
Self-Provisioning be enabled as follows:
1 On the server you are configuring, in iManager > Roles and Tasks, click the Novell Certificate
Access > Configure Certificate Authority option.
2 Click Enable server self-provisioning.
This causes automatic certificate replacement for the conditions described in
Check" on page
IMPORTANT: If you enable Server Self-Provisioning in an OES 2 tree and you have created a
CRL configuration object but not yet configured any CRL distribution points, the PKI Health
Check might replace the default certificates every time it runs.
To avoid this, you can either

Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points
by using iManager's Configure Certificate Authority task.
or

Delete any CRL Configuration objects, for example CN=One - Configuration.CN=CRL
Container.CN=Security.
3 If you also want the CA certificate to be replaced if it changes or expires, click the Health
Check - Force default certificate creation/update on CA change option.

22.2.2 Eliminating Browser Certificate Errors

Because the Internet Explorer and Mozilla Firefox browsers don't trust eDirectory certificate
authorities by default, attempts to establish a secure connection with OES 2 servers often generate
certificate errors or warnings.
These are eliminated by importing the eDirectory tree CA's self-signed certificate into the browsers.
230 OES 2 SP3: Planning and Implementation Guide
229.
"Subordinate Certificate
Guide.
Authority" in
"PKI Health