Home

Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Move Certifcate Authority to new Server or create a new CA

  1. #1
    Join Date
    Nov 2018
    Posts
    45

    Move Certifcate Authority to new Server or create a new CA

    I have several, in three separate Trees, OES 2015.1, eDir 8.8 sp8 servers. I will be replacing these servers with SLES 12 sp3, eDir 9.1 servers. New VM, new name and IP, same Tree.

    I have read moving an 8.8 CA to a 9.1 server is not recommended.

    Should I create a new eDir 9.1 CA on one of the new 9.1 servers. What are the consequences.

    Thank you!

  2. #2

    Re: Move Certifcate Authority to new Server or create a new CA

    On 05/07/2019 08:54 AM, ka12312 wrote:
    >
    > I have several, in three separate Trees, OES 2015.1, eDir 8.8 sp8
    > servers. I will be replacing these servers with SLES 12 sp3, eDir 9.1
    > servers. New VM, new name and IP, same Tree.
    >
    > I have read moving an 8.8 CA to a 9.1 server is not recommended.


    Have a link to that recommendation?

    > Should I create a new eDir 9.1 CA on one of the new 9.1 servers. What
    > are the consequences.


    I migrated a system like this a month ago and had no issues with the CA
    move. eDirectory 9.1 has more options fr more-secure CAs, but it seems to
    run the old one just fine too so if changing hardware I would probably
    prefer to stick with that which works, and then upgrade the CA as
    appropriate once everything else is known to work. I personally prefer
    limiting the number of things changing at a time as it makes isolating
    problems (if/when they show up) easier.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  3. #3
    Join Date
    Nov 2018
    Posts
    45

    Re: Move Certifcate Authority to new Server or create a new

    http://support.novell.com/Platform/P...18399_f.1.html

    Note 1: Problems will occur, specifically with the CRLs, moving a RootCA from a 8.8 SP8 to a 9.x server. This is not recommended. If moving the RootCA to a 9.x server is desired, first upgrade both the current and future CAs to 9.x before doing so

    Looking for Docs to upgrade per the above link. Any recommendations as I'm not finding something explicit to upgrade an 8.8 CA to 9.1 CA.

    Thank you!

  4. #4

    Re: Move Certifcate Authority to new Server or create a new CA

    ka12312 wrote:

    > Looking for Docs to upgrade per the above link. Any recommendations as
    > I'm not finding something explicit to upgrade an 8.8 CA to 9.1 CA.


    Updating Edir on the old box to 9.x will also update the CA code, I guess.

    Since I did not read that TID before I just moved CAs from Edir 8.8.8.10 to
    Edir 9.x servers in the same tree just by exporting the CA keys, deleting the
    CA object, then recreating on the 9.x server from the export file. No problems
    whatsoever with the new CA. But if the TID recommends updating the existing CA
    first, why not just do it?

    --
    http://www.is4it.de/en/solution/iden...ss-management/

    (If you find this post helpful, please click on the star below.)

  5. #5
    Join Date
    Nov 2018
    Posts
    45

    Re: Move Certifcate Authority to new Server or create a new

    I have been looking for a doc to upgrade the CA and I can't find one. Any recommendations. Thank you.

    Quote Originally Posted by lhaeger View Post
    ka12312 wrote:

    > Looking for Docs to upgrade per the above link. Any recommendations as
    > I'm not finding something explicit to upgrade an 8.8 CA to 9.1 CA.


    Updating Edir on the old box to 9.x will also update the CA code, I guess.

    Since I did not read that TID before I just moved CAs from Edir 8.8.8.10 to
    Edir 9.x servers in the same tree just by exporting the CA keys, deleting the
    CA object, then recreating on the 9.x server from the export file. No problems
    whatsoever with the new CA. But if the TID recommends updating the existing CA
    first, why not just do it?

    --
    http://www.is4it.de/en/solution/iden...ss-management/

    (If you find this post helpful, please click on the star below.)

  6. #6
    Join Date
    Nov 2018
    Posts
    45

    Re: Move Certifcate Authority to new Server or create a new

    I am concerned about the CRL as I have no idea what apps may be using it. We use eDir for our LDAP environment with many different apps using eDir. There is one CRL on the CA (One) which issues every two weeks. Is this created by default or perhaps a previous admin created it. Any idea a way to find out which apps may be using it. Long shot I know. Appreciate your input.

  7. #7

    Re: Move Certifcate Authority to new Server or create a new CA

    ka12312 wrote:

    > Any recommendations


    Open a service request to get it straight from the horse's mouth.

    Support will also be able to tell you, how to make sure any existing CRLs can
    be migrated, if necessary. I suspect, deleting and re-creating the CRL is all
    that's required.

    Does your existing CRL actually lists revoked certs, btw? Check in iManager
    (Cert Server > Configure CA > CRL > Details): it is usually empty. If it is in
    your setup as well, nothing to worry about in the first place.

    And if you really distribute a list of revoked certs, you could export them
    from iManager and reimport them again into a fresh CRL after the Update (in
    case the CRL gets destroyed somehow and you have to delete/recreate). Do not
    forget to take note of the distribution points as well, those should not
    change, I guess.

    --
    http://www.is4it.de/en/solution/iden...ss-management/

    (If you find this post helpful, please click on the star below.)

  8. #8
    Join Date
    Nov 2018
    Posts
    45

    Re: Move Certifcate Authority to new Server or create a new

    Details are empty so I guess I am good. Thank you!!

  9. #9
    klasen is offline Micro Focus Employee - Ultra Contributor
    Join Date
    Nov 2007
    Location
    Germany
    Posts
    356

    Re: Move Certifcate Authority to new Server or create a new CA

    On 2019-05-15 17:36, ka12312 wrote:
    >
    > I am concerned about the CRL as I have no idea what apps may be using
    > it. We use eDir for our LDAP environment with many different apps using
    > eDir. There is one CRL on the CA (One) which issues every two weeks. Is
    > this created by default or perhaps a previous admin created it. Any idea
    > a way to find out which apps may be using it. Long shot I know.
    > Appreciate your input.


    Did you put a Certificate Revocation List Distribution Point extension
    into the certificates issued by this CA? That is what applications would
    use to retrieve the CRL.


    --
    Norbert

  10. #10
    Join Date
    Nov 2018
    Posts
    45

    Re: Move Certifcate Authority to new Server or create a new

    In another Tree, I have six Trees, there are the following CRLs:
    One (for RSA)
    OneEC (for ECDSA)

    They both have distribution points. However I inherited this system so I don't know if they are being used. Is there a way to tell? Will these migrate over?

    There are are 4 DP configured: LDAP, LDAPS, http and https.

    Thank you!
    Last edited by ka12312; 20-May-2019 at 07:48 PM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •