Re: Not able to locate root CA
Edward van der Maas
>
> eDirectory version 8.7.3
> OS Solaris 8
>
> There are serveral partitions in the tree and apart from the root
> partition, there are other paritions, in one which is called server
> partition which has all the server objects.
>
> There is only one Key material object object thats is the DNS
> certificate object and not the IP Certificate object. So when i
> create a IP certificate object with console one for CA authority. I
> get message saying unable to locate the CA root certificate. Can you
> anyone tell me how could we make it to locate the CA root certificate
> object. Is this because of the paritions in the tree. The server
> partition two steps down from the top level tree object.
It sounds like your CA is dead. Go to the security container and check
the properties of your CA object. Make sure the host server is still
alive.
--
Cheers,
Edward
Edward van der Maas
> I have performed this cert creating step by logging in to the same
> server for which i wanted to create the IP certificate. Hence, the
> server is alive.
ok, in that case it could mean the private key has somehow got
corrupted. Do you have a backup of your CA ?
--
Cheers,
Edward
a...@novell.com
Hash: SHA1
That's not what Edward asked for though... he said to look at your CA
object. Do so, please.
Good luck.
gokulnathb wrote:
> I have performed this cert creating step by logging in to the same
> server for which i wanted to create the IP certificate. Hence, the
> server is alive.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK0rRJAAoJEF+XTK08PnB5a/cP/Ay8J7qqo2WUNBkEVGEDOhHv
3RjjjuO8oD6hcRkTfWDttASo/JtvpgMA7CAQOEO2RmL6vZV6wp96WClK/JmwmFnc
RlQyumPgaSWNRPu0byz9Zhz/o8HV+vKl9UwQn1rc7i1+WglbbcKlr2vLs1MtoJbR
mBbfhepqMy9jgHZEVmT8s+AsDJgwWbtU46+JA4O0z50f4Jbt55AC4CkVJxeJIlXR
7OKNEgGuL04Essl4FcrNvXhkWUn7VMmB300FHvdTTwFDymuGdTssGgaKAACQz86a
cWXWUGahR+0O3X5Fynhduxg2knI2Kguw2f6MlLOupfS4dPikwv2Gjut3ZKbo247t
Qu8s5T2LtA99tPvSW/SaXIf9fOKqpzjduIXtnBz88tuEQYJCKoatbsN2t4w3pAvz
/Uu5AO0TU44BE+zpfuIVqmaap9MTJe163DPq64MdUnycqY7gcyBQXar5mjVPR8xR
jVtsRFGCE542f2t1COPm32zOezbd55ale+lD6C1PeTCWXnta1yljyvlaRWyxd6Nj
Q8fioSuUyoFdYL22biKJmY4M3IUXdY5qZzqtyH0kr54hIk5mu4TX5CoBCG5Lf9+o
/dO+Z1uLI/DtEjN60mA5ucH52eQ4hW2c2YLe588tM5HIjvqHElYCySvRuOFLqqti
quHXTntEnWhWp4Rba4Hh
=oBxH
-----END PGP SIGNATURE-----
Edward van der Maas
>
> No, I dont have a backup.
>
> Can I delete the DNS cert and execute ndsconfig upgrade, that would
> create both the certificates for me right?
As long as we don't know for sure your CA is working properly that
command would fail as well.
--
Cheers,
Edward
a...@novell.com
Hash: SHA1
You'll need to recreate the CA, then. `ndsconfig upgrade` may take care
of this from the command line on the server you want to be the CA host.
The eDirectory documentation also probably tells how to recreate the CA,
along with TIDs and such.
Good luck.
gokulnathb wrote:
> a...@novell.com;1870559 Wrote:
> That's not what Edward asked for though... he said to look at your CA
> object. Do so, please.
>
> Good luck.
>
>
> Thanks for saying that.
> When right clicked the properties of root CA object, i get a message
> saying that
>
> "The object non-functional because of the 'Host server attribute is
> missing' and it has asked to refer the TID 10056795"
>
> The tid said in the others options, go to attributes and add host
> server attribute, I am trying to search for the attribute, but the host
> server attribute is missing.
iQIcBAEBAgAGBQJK03OaAAoJEF+XTK08PnB5czsP/0qKPwD0kd53dAKuLWmbBX9k
BINa0F4l2U9wOWwsRygMEBR6zsOcw4uYjeJuhE5bC2TbKOxYTtU8i3oU3EzVK0OM
/+Z1to+oAYPucbzB5fUiLVCQhI84EesK2H/C29+hvnv/HQt7VeLkPswYfC/qI3VD
xIYA45nQ5KjgDkZXIlqQEX1ipBlAPecnuVyoOzkD6X7fpnvpEUSZrWWOoFPsnhZm
Jevw8bd4tdCCW7CWQF697/na34lbTQ3PjeamTj2eucV1DLnQY+d/OeZFVSjA9+Fu
3VRuTkkv2jA/b+uLAe5XftkZwX4t8uOqlG8NEmIwpsGw+tOSluulDhUisotzaHyj
MNAlS2Bfg8+pvJohefLYNjQ3Yccz1kZLvmn3s0WcuACbjROU4zVO5cWTeSZBO4gb
m6OVXTcTeyVqm1lhE9z1MpGUHp6j3MB98Nuwz3MqbM7k1FG8Z66IweE7wb0+A6rm
tH5Fu4hZkwhmtpOWF8lkQmLgQ5GvVaDv1FYH1s0h7H4RZOjj/ZoxmTA5eWjCXY7q
rWvtMRUSkzWCqca1b5fVoyIjJlHpqnrvDUpiMRJVgw03MqSNGWaunCW7VV6cE4vc
gzNWYfs2Csa//TJB56kyvrZDU1vO2renU2jx0E5p6ZcyTpFQDXXdqlfUU4oQPhMZ
2k6Bmf4jO37NoO21/sM0
=ELXv
-----END PGP SIGNATURE-----
Edward van der Maas
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You'll need to recreate the CA, then. `ndsconfig upgrade` may take
> care of this from the command line on the server you want to be the
> CA host.
Isn't that only when you delete the object first ?
--
Cheers,
Edward
Edward van der Maas
> > Thanks for saying that.
> > When right clicked the properties of root CA object, i get a message
> > saying that
> >
> > "The object non-functional because of the 'Host server attribute is
> > missing' and it has asked to refer the TID 10056795"
> >
> > The tid said in the others options, go to attributes and add host
> > server attribute, I am trying to search for the attribute, but the
> > host server attribute is missing.
Delete the CA object and recreate it. You can do that using ConsoleOne
or iManager. once recreated, export it, include the private key and
store the file somewhere safe.
--
Cheers,
Edward
Peter Kuo
> >
> > The tid said in the others options, go to attributes and add host
> > server attribute, I am trying to search for the attribute, but the host
> > server attribute is missing.
The thing is that if there is a snapin that "manages" a given attribute
(say, Title for a User), then this attribute is not shown in the Others
tab. While I don't have a copy of C1 in front of my right just now, but
the PKI snapin would/could mask the Host Attribute from being seen. You
can opt to disable some snapins, or simply go the LDIF route (which I
would do if I were in this situation).
--
Peter
eDirectory Rules!
http://www.DreamLAN.com
Edward van der Maas
>
> But, with the testing pki snapin in console one, I am not able to find
> the snapin.
Most likely you can get them only with NetWare
--
Cheers,
Edward