eDirectory v.20803.05
iManager 2.7.7 workstation install (no Tomcat on a server)

Since i neither want anybody having access to my CA through LDAP nor
HTTP i chose to remove all CDP's from my CRL (eDirectory 8.8.8 creates
certificates with this extension by default it seems, 8.8.6 did not do
To make certificate checking possible i made a Script to copy the CRL to
a Web-Server (HTTP) and changed the CRL-Config accordingly (so that in
the CDP extension two http://mywebressource.mydomain/cert/edirectory.crl
are written to newly created certificates).

Creating a new certificate or repair default certificates (with 'Force
the generation of new default certificates' to 'YES'). Then navigate to
NetIQ Certificate Access | Server Certificate | Choose Server and
'Validate' certs results in: Invalid: CRL Decode Error.

The URL is accessible and the CRL can be fetched there. From a network
trace i can't see any HTTP-traffic for checking. Only when adding a
local LDAP-URL to the CDP (in the CRL, and then recreate the
certificates) AND change the LDAP-configuration to not impose any
restrictions on binds (AND let change my firewall to let anybody through
to that Server on 389 for 'real' certificate validation in the 'real'
world) the validation in iManager works.

Found https://www.novell.com/support/kb/doc.php?id=3205138 but i can see
no HTTP at all in the LAN-Trace.

Thanks in advance, florian

florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=52577