How can I install a 3rd party Certificate for Groupwise Webaccess 7.0.3 running on NETWARE 6.5

aqtech1
aqtech1 used Ask the Experts™
on
Can anyone tell me step by step how to install a 3rd party Certificate with Webaccess 7.0.3 running on NETWARE 6.5 sp8,  Apache 2.0.63?

Backround details...
I generated a CSR using gwcsrgen.exe, sent it to my 3rd party (GoDaddy),  and I got back a Certificate bundle.  Can't I just import those somehow into NDS?  
Because I'm on netware, should I have NOT used gwcsrgen.exe & instead should I have created an NDS object specifying external signing?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott KunauSr. Consultant/Managing Partner

Commented:
You were right to do as you've done.  What files did GoDaddy return to you?

Looking at ConsoleOne and the WebAccess object, I find the SSL Settings selection on the GroupWise tab.  It shows two boxes to point to files: The Certificate file and the SSL key file.  You should copy these two files into the sys:system directory as well as into your <domain>\wpgate\webac70a directories.

If they sent you a .pfx file or they sent you the signed CSR back, you'll need to generate your certificate file.  This is done in Console One too.  Click on an O or OU in the NDS part of C1 and then go to Tools menu | Issue Certificate.  You will browse for the returned .CSR file or you will have opened it with notepad and copied *everything* in the file, including the starting and ending words.

Follow the wizard by clicking Next.  and you'll will select External which should be one of the radio button selections.  If External isn't, there should be custom.  You'll need to save the file in .b64 or .pem or .pfx or .crt format.

This should get you started.  Here is a TID I found from looking through the Novell forums:

http://support.novell.com/docs/Tids/Solutions/10089761.html

Scott

Author

Commented:
I though the SSL Settings selection on the GroupWise tab of WebAccess object in C1 was for the GWWebAcc Agent to commuicate with the POA over SSL,  AND/OR  for the administrative webconsole to use when you connect with a browser,   Not for an internet browser connecting to read email.   Is it for all 3?

Ah, I didn't understand that the CSR is not the same one I sent them, they've 'signed' it, and now its different, is that correct?  

Additional Backround:  
I have SSL working over the internet,  but my users get the popup: "invalid certificate".  I didn't set that up, someone else did.  I can also browse internally to iManager on SSL over port 8009.  So internally the certificates and SSL seem to be working fine too, using internally generated certificates.

Thanks, I'll take a look at this Monday & see how it goes.    
You've already got your bundle back from GoDaddy so you just need to open ConsoleOne (you will need the certificate server snapin) and import it.

1. Open ConsoleOne
2. Find the certificate object you created and open it. Click the Certificates tab.
3. For Trusted Root Certificate, click Import and read from your file gd_bundle.crt.
4. Pull-down to Public Key Certificate and Import again, this time choosing the other .crt file you got from GoDaddy - this is the one for your web server.

Word of warning - if the certificate object in ConsoleOne has a dash in the name e.g. you called it GoDaddy - Webaccess or something, you'll have a problem. The process automatically appends - [servername] to the end of this object, and the name will now include two dashes. eDirectory doesn't like this and will return a -601 error. If you get this, rename the certificate object to something without a dash in it.

Now you need to configure your web server to use this certificate. I only wanted the Webaccess application to use this cert, so I unloaded both instances of apache (ap2webdn and admsrvdn at the console) and edited httpd.conf to use the new one. This file is located in SYS:APACHE2\CONF\HTTPD.CONF. Edit it and search for "SSL CertificateDNS" and replace that string with the name of your new certificate (do not include the server name like it shows in ConsoleOne). Bring Apache back up (ap2webup and admsrvup) and it should be using the new cert.

Further reading:
TID 3920370 How to import a Production VeriSign External Certificate into eDirectory 8.7.3 using ConsoleOne:
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=3920370&sliceId=1&docTypeID=DT_TID_1_1&dialogID=72005490&stateId=0 0 72003796

TID 3033173 How to import a Production VeriSign External Certificate into eDirectory using iManager
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=3033173&sliceId=1&docTypeID=DT_TID_1_1&dialogID=72005495&stateId=0 0 72003802

Author

Commented:
Because I could not remember how the Certificate was created, nor exactly what I typed in as the Subject, when I originally applied to Go Daddy,  I 're-keyed' my GoDaddy Certificate using their website.   They asked for a new CSR & wanted me to past it up there.   So I created a new NDS KMO (Key Material object) which in turn gave me a new CSR  *.64 file.  I opened it with notepad & copied the text out of it & pasted up on GoDaddy.     They gave me 2 new certificates, gd_bundle.crt & webmail.brawwlaw.com.crt    

Now, when I imported the certificates into C1 in the NDS KMO I just created earlier, the import worked fine.   It did not give me an error that the key in the cert did not match the key in the NDS KMO.   However, I did receive an error when I try to validate the certificate in C1.   When I click the validation buttonon the Certs TAB,  It tells me they both the root and the one for my server are
invalid because the subject doesn't match whats in the certificate.   Why?  

Anyhow, I thought I would try it.  I made the change to my httpd.conf file and whala, it is working!    Internet browsers are no longer hit with an invalid cerfificate popup when they do SSL to my webaccess site!
I am trying to get an SSL Certificate from GoDaddy installed on my NetWare 6.5 sp6 server using ConsoleOne.  Ultimately, I want my Apache Webserver to use the new certificate for https connections.

I have followed the steps above but when I go to validate the certificates they come back as invalid with the reason: "Certificate Revocation List Invalid".  Does anyone know how to get around this problem?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial