I have many certificates that are expiring or have recently expired, and
I've tried to use PKDIAG to recreate them. Unfortunately, PKDIAG fails
at step 6 with error "35323". I can't seem to find any good information
on this error, nor how to correct it. This is a network with eight
NetWare 6.5.3 servers, and two NetWare 6.5.5 servers. The CA is on one
of the 6.5.3 servers.

I can manually recreate the certificates from C1, but I am concerned
with the failure of PKDIAG to do its job. The PKDIAG log is below for a
server that I went ahead and manually recreated the certs for. The
servers that have the expired/expiring certs show pretty much the same
thing, just with errors for each of the expired certs, and as I said
PKDIAG fails to recreate them. Any suggestions?

I had planned to update everything to SP6 this weekend, but I'm uneasy
about adding service packs if there are problems. Is this something I
need to be concerned about?

Thanks,

Greg Niese


---------------------------------------------------------------------------
PKIDiag 2.70 -- (compiled Dec 09 2003 19:46:03).
(Check the end of the log for the last repair results)
Current Time: Fri Jan 5 21:54:51 2007
User logged-in as: admin.UNIT.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'TEST3A'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'TEST3A.UNIT' points to SAS Service object 'SAS Service -
TEST3A.UNIT'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - TEST3A.UNIT' is backlinked to
server 'TEST3A.UNIT'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - TEST3A.UNIT'.
--->KMO SSL CertificateIP - TEST3A.UNIT is linked.
--->KMO SSL CertificateDNS - TEST3A.UNIT is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateDNS - TEST3A.UNIT'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - TEST3A.UNIT'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateDNS - TEST-DR2.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST-dr2\.TESTpower\.com - TEST-DR2.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST-DR2.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.237 - TEST-DR2.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateSMTP - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIPRINT - TEST3B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - TEST-DR1.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST-dr1\.TESTpower\.com - TEST-DR1.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST-DR1.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.238 - TEST-DR1.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateGWMSG - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateGWMSG - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST3b - TEST3B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST2a - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificatePVT - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificatePVT - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - BACKUP1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST1b - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.243 - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.253 - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.240 - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.254 - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG BACKUP1A - BACKUP1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.249 - BACKUP1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST2b\.TESTpower\.com - TEST2B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - TEST2B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - TEST3B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST2B - TEST2B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST3b\.TESTpower\.com - TEST3B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST2B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST3B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.245 - TEST2B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.248 - TEST3B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST2a\.TESTpower\.com - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.244 - TEST2A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST1a\.TESTpower\.com - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST1A - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.241 - TEST1A.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG TEST1b\.TESTpower\.com - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG 192\.168\.1\.242 - TEST1B.UNIT'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.

Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - TEST3A.UNIT'.
KMO 'SSL CertificateIP - TEST3A.UNIT' is linked.
KMO 'SSL CertificateDNS - TEST3A.UNIT' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: 192.168.1.247
--> The KMO SSL CertificateIP's IP Address is: 192.168.1.247.O=TEST
----> The IP addresses match.
Step 6 failed 35323.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 0
Problems fixed: 0
Un-fixable problems found: 0