Re: PKI Error code -603 during Certificate Server Install

[Massimo Rosen]

Hi,

gwcisco wrote:
>
> From what I've read from previous posts on this discussion forum I'm
> suppose to delete the CA and recreate it to fix this issue. However, I'm
> concerned if deleting it will break other services such as Groupwise,
> iManager and etc.
>
> What kind of implications should I expect from deleting the CA?

Immediately? None. All previous certificates issued by the "old" CA will
continue to work as usual.

However, new certificates issued after the recreation of the CA will be
distinctively different than before, as they will be signed from a
different CA.

Some implications:

Anything that has "validated" the old certificates via the public root
certificate originally, will not accept the new certs. One pretty
important piece, especialyl on Netware, is the sys:\public\rootcert.der
file. Some services e.g Tomcat, use this to validate presented certs,
like the LDAP ones, which will fail once LDAP uses certs from the new CA
(as the rootcert.der will no longer match the CA).

So the by far best option when chnaging the CA, is:

1. To recreate *all* certificates immediately, instead of waiting for
them to expire.
2. Export a new rootcert.der, and copy it into all sys:\public
directories on all servers.
3. If the previous rootcert.der has been used by e.g Windows clients to
authorize your tree certificates universally, that has to be redone with
the new rootcert.der.

CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de